Issue http://www.mozilla.org/en-US/firefox/fx/ will display a page that accepts the user's email address. This page must always be served over HTTPS. In addition, the page must also post the user's credentials over HTTPS. Steps to reproduce: 1. Go to http://www.mozilla.org/en-US/firefox/fx/ 2. If you don't see the email submission form then reload the page (its designed to appear 50% of the time) 3. Notice the view source shows the form action of <form action="/en-US/newsletter/" method="post" id="newsletter-form"> which will post over HTTP Recommended Remediation The email submission page and form action must always be HTTPS.
The footer for almost every page on mozilla.org (formerly mozilla.com) has a newsletter box, yet as far as I can tell, HTTPS is not used for that. Basically, in order to meet this requirement, every page on the site would need to be over SSL, which while being great from a security perspective, is most likely not going to be possible due to performance reasons, though IT will obviously have more definitive numbers and info on this.
Whiteboard: [infrasec:ssl][ws:major] → [infrasec:tls][ws:high]
(In reply to Reed Loden [:reed] (very busy) from comment #1) > The footer for almost every page on mozilla.org (formerly mozilla.com) has a > newsletter box, yet as far as I can tell, HTTPS is not used for that. > Basically, in order to meet this requirement, every page on the site would > need to be over SSL, which while being great from a security perspective, is > most likely not going to be possible due to performance reasons, though IT > will obviously have more definitive numbers and info on this. Yea, this is a concern. I think for the splash page (which will generate a lot of traffic) we should force ssl. I understand the footers are not optimal, but not something we can address at the moment.
We can also change the footers and hardcode the form action to HTTPS. This certainly doesn't protect against a MITM (they could just change the original page response over HTTP and remove the https), but it does prevent a large number of clear text email addresses being sent.
Adding Raymond and Stephen here as well.
I never registered to me that email addresses are that sensitive, but that's good to know. We can definitely change the form action to https. We'll need someone from IT to way in on forcing the splash page to SSL.
Adding one more to this one - there's an extra email sign-up on http://www.mozilla.org/en-US/firefox/channel we need to catch as well.
This has been fixed in a bug reported during the security review of the pref center. We've moved most of the newsletter pages to force SSL. This hasn't been pushed out yet but will be this week.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 694982
Component: www.mozilla.org/firefox → www.mozilla.org
Product: Websites → Websites
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
Restoring unintended removal of in-testsuite flag.
You need to log in before you can comment on or make changes to this bug.