repo-criteria-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Repo-criteria-discuss] Savannah and HTTPS


From: Mike Gerwitz
Subject: Re: [Repo-criteria-discuss] Savannah and HTTPS
Date: Sun, 09 Oct 2016 10:39:55 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

On Sun, Oct 09, 2016 at 11:01:33 +0000, Juuso Lapinlampi wrote:
> I still don't like the idea of having login pages (or login session
> cookies) reachable over HTTP.

It is also worth noting that Firefox will soon display websites that
serve login forms over HTTP as insecure:

https://hacks.mozilla.org/2016/01/login-forms-over-https-please/

I agree that in modern times it is irresponsible to serve login forms
over a plaintext connection, but I'm not crying bad intent or negligence
here---now that we're aware of the issue, it just needs a slight change.

In the case of Savannah, if the user loads the page over HTTPS, they
will be served the login form over HTTPS.  That's good, but a redirect
should still otherwise happen.  I say this because it is also important
to note that it is not an option to use Tor to log into a website using
a plaintext HTTP connection---that allows malicious exit nodes to
harvest account information.

So the simple change here is to add a webserver redirect to ensure that
the login form always redirects to HTTPs (/account/login.php).

The EFF's HTTPS Everywhere plugin was created to help to mitigate this
issue (sites supporting HTTPS serving HTTP as well), as it is
widespread.  I use it, which is why I never noticed the issue on
Savannah.

The better option is to simply drop HTTP support on Savannah entirely
and always redirect.  Going back to Tor: it's also not wise to use
Savannah over HTTP when logged in over Tor, because a malicious node
could hijack your session.  This is also true for any other MITM, which
is trivial and undetectable over HTTP.

Richard: unless there's a compelling reason not to, I think the
sysadmins or Savannah hackers (whomever has the ablity) should just add
a webserver rule to redirect all requests on port 80 to 443.  Ideally,
the HSTS header could be added at the same time, since that was created
to mitigate the issue of HTTP requests accidentally being made.  For
example, if the login form was loaded over HTTPS, but accidentally posts
to an HTTP link, then those login data will be first posted in
plaintext, before then being redirected (and reposted) over a secure
connection.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]