|Anonymous | Login | Signup for a new account||2017-04-30 20:32 UTC|
|My View | View Issues | Change Log | Roadmap | Repositories|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000666||bugs.cacert.org||misc||public||2009-01-03 20:22||2017-04-04 16:29|
|Platform||Main CAcert Website||OS||N/A||OS Version||stable|
|Summary||0000666: Mantis allows login without SSL/TLS|
|Description||Mantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.|
|Additional Information||Possible fix:|
check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING [^] in case if HTTP. As it will mainly redirect on the login page this should not break something.
|Tags||No tags attached.|
|Attached Files|| rfc3330.txt [^] (16,200 bytes) 2014-10-04 09:53 [Show Content]
dd.exe [^] (87,552 bytes) 2014-10-04 09:54
The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/ [^]
The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.
Please change all links to https.
I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).
So please, secure all our sites and make it state of the art.
Thanks a lot for the hard work!
|2009-01-03 20:22||ph3||New Issue|
|2009-01-04 19:35||Sourcerer||Note Added: 0001265|
|2009-06-05 12:52||Daniel Black||Project||Main CAcert Website => bugs.cacert.org|
|2013-07-10 23:59||BenBE||Relationship added||related to 0001116|
|2014-10-04 09:53||Ruel Print||File Added: rfc3330.txt|
|2014-10-04 09:54||Ruel Print||File Added: dd.exe|
|2017-04-04 16:29||bjobjo||Note Added: 0005543|
|Copyright © 2000 - 2017 MantisBT Team|