Closed
Bug 622478
Opened 13 years ago
Closed 13 years ago
Insecure transition from HTTP to HTTPS
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: geeknik, Unassigned)
Details
(Whiteboard: [infrasec:tls][ws:low])
The following forms are being served from an insecure (HTTP) page. These pages could be hijacked using a Man-in-the-middle attack and an attacker could replace the form target. http://www.mozilla.org/ Form name: "" Form action: "https://www.mozilla.com/en-US/newsletter/" http://www.mozilla.org/developer Form name: "" Form action: "https://bugzilla.mozilla.org/show_bug.cgi" The impact of this vulnerability is possible information disclosure.
Comment 2•13 years ago
|
||
If there's a MITM rewriting the www.mozilla.org pages then anything could look like anything and would probably fool the user. The bugzilla link is HTTPS because bugzilla.mozilla.org is only available over HTTPS, not because the search terms sent are considered super private data that needs protecting. I'm only guessing about the newsletter one, but it might be HTTPS so they don't have to worry about generating dynamic content. That way if the user goes to https://www.mozilla.org instead of http://www.mozilla.org they won't get a "submitting to insecure page" warning.
Updated•13 years ago
|
Whiteboard: [infrasec:tls][ws:low]
Comment 3•13 years ago
|
||
There is no secure data being protected here, https is used only for convenience.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Updated•12 years ago
|
Group: websites-security
Assignee | ||
Updated•12 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•