If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Insecure transition from HTTP to HTTPS

RESOLVED WONTFIX

Status

www.mozilla.org
General
--
major
RESOLVED WONTFIX
7 years ago
5 years ago

People

(Reporter: geeknik, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:tls][ws:low])

(Reporter)

Description

7 years ago
The following forms are being served from an insecure (HTTP) page. These pages could be hijacked using a Man-in-the-middle attack and an attacker could replace the form target.

http://www.mozilla.org/
Form name: ""
Form action: "https://www.mozilla.com/en-US/newsletter/"

http://www.mozilla.org/developer 
Form name: ""
Form action: "https://bugzilla.mozilla.org/show_bug.cgi"

The impact of this vulnerability is possible information disclosure.
If there's a MITM rewriting the www.mozilla.org pages then anything could look like anything and would probably fool the user.

The bugzilla link is HTTPS because bugzilla.mozilla.org is only available over HTTPS, not because the search terms sent are considered super private data that needs protecting.

I'm only guessing about the newsletter one, but it might be HTTPS so they don't have to worry about generating dynamic content. That way if the user goes to https://www.mozilla.org instead of http://www.mozilla.org they won't get a "submitting to insecure page" warning.
Whiteboard: [infrasec:tls][ws:low]
There is no secure data being protected here, https is used only for convenience.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
Group: websites-security
(Assignee)

Updated

5 years ago
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org

Updated

5 years ago
Blocks: 835434
You need to log in before you can comment on or make changes to this bug.