Closed
Bug 683779
Opened 14 years ago
Closed 14 years ago
Email Addresses Can Only Be Submitted over HTTPS
Categories
(www.mozilla.org :: General, defect)
www.mozilla.org
General
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 694982
People
(Reporter: mcoates, Assigned: jlong)
References
Details
(Whiteboard: [infrasec:tls][ws:high])
Issue
http://www.mozilla.org/en-US/firefox/fx/ will display a page that accepts the user's email address. This page must always be served over HTTPS. In addition, the page must also post the user's credentials over HTTPS.
Steps to reproduce:
1. Go to http://www.mozilla.org/en-US/firefox/fx/
2. If you don't see the email submission form then reload the page (its designed to appear 50% of the time)
3. Notice the view source shows the form action of
<form action="/en-US/newsletter/" method="post" id="newsletter-form">
which will post over HTTP
Recommended Remediation
The email submission page and form action must always be HTTPS.
|
||
Comment 1•14 years ago
|
||
The footer for almost every page on mozilla.org (formerly mozilla.com) has a newsletter box, yet as far as I can tell, HTTPS is not used for that. Basically, in order to meet this requirement, every page on the site would need to be over SSL, which while being great from a security perspective, is most likely not going to be possible due to performance reasons, though IT will obviously have more definitive numbers and info on this.
|
Reporter | |
Updated•14 years ago
|
Whiteboard: [infrasec:ssl][ws:major] → [infrasec:tls][ws:high]
|
|
Reporter | |
Comment 2•14 years ago
|
||
(In reply to Reed Loden [:reed] (very busy) from comment #1)
> The footer for almost every page on mozilla.org (formerly mozilla.com) has a
> newsletter box, yet as far as I can tell, HTTPS is not used for that.
> Basically, in order to meet this requirement, every page on the site would
> need to be over SSL, which while being great from a security perspective, is
> most likely not going to be possible due to performance reasons, though IT
> will obviously have more definitive numbers and info on this.
Yea, this is a concern. I think for the splash page (which will generate a lot of traffic) we should force ssl. I understand the footers are not optimal, but not something we can address at the moment.
|
|
Reporter | |
Comment 3•14 years ago
|
||
We can also change the footers and hardcode the form action to HTTPS. This certainly doesn't protect against a MITM (they could just change the original page response over HTTP and remove the https), but it does prevent a large number of clear text email addresses being sent.
|
|
Assignee | |
Comment 5•14 years ago
|
||
I never registered to me that email addresses are that sensitive, but that's good to know.
We can definitely change the form action to https. We'll need someone from IT to way in on forcing the splash page to SSL.
Adding one more to this one - there's an extra email sign-up on http://www.mozilla.org/en-US/firefox/channel we need to catch as well.
|
||
Updated•14 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Comment 7•14 years ago
|
||
This has been fixed in a bug reported during the security review of the pref center. We've moved most of the newsletter pages to force SSL.
This hasn't been pushed out yet but will be this week.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Component: www.mozilla.org/firefox → www.mozilla.org
|
|
||
Updated•13 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•