View Issue Details

IDProjectCategoryView StatusLast Update
0000666bugs.cacert.orgmiscpublic2021-08-07 20:39
Reporterph3 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0000666: Mantis allows login without SSL/TLS
DescriptionMantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.
Additional InformationPossible fix:

check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING in case if HTTP. As it will mainly redirect on the login page this should not break something.
TagsNo tags attached.

Relationships

related to 0001116 closedNEOatNHNG Setup HSTS for Bugtracker 

Activities

Sourcerer

2009-01-04 19:35

administrator   ~0001265

The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/

Ruel Print

2014-10-04 09:53

reporter  

rfc3330.txt (16,200 bytes)   





Network Working Group                                               IANA
Request for Comments: 3330                                September 2002
Category: Informational


                       Special-Use IPv4 Addresses

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document describes the global and other specialized IPv4 address
   blocks that have been assigned by the Internet Assigned Numbers
   Authority (IANA).  It does not address IPv4 address space assigned to
   operators and users through the Regional Internet Registries.  It
   also does not address allocations or assignments of IPv6 addresses or
   autonomous system numbers.

1. Introduction

   Throughout its entire history, the Internet has employed a central
   Internet Assigned Numbers Authority (IANA) responsible for the
   allocation and assignment of various identifiers needed for the
   operation of the Internet [RFC1174].  In the case of the IPv4 address
   space, the IANA allocates parts of the address space to Regional
   Internet Registries according to their established needs.  These
   Regional Internet Registries are responsible for the assignment of
   IPv4 addresses to operators and users of the Internet within their
   regions.

   Minor portions of the IPv4 address space have been allocated or
   assigned directly by the IANA for global or other specialized
   purposes.  These allocations and assignments have been documented in
   a variety of RFCs and other documents.  This document is intended to
   collect these scattered references.

   On an ongoing basis, the IANA has been designated by the IETF to make
   assignments in support of the Internet Standards Process [RFC2860].
   Section 4 of this document describes that assignment process.




IANA                         Informational                      [Page 1]

RFC 3330               Special-Use IPv4 Addresses         September 2002


2. Global and Other Specialized Address Blocks

   0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
   network.  Address 0.0.0.0/32 may be used as a source address for this
   host on this network; other addresses within 0.0.0.0/8 may be used to
   refer to specified hosts on this network [RFC1700, page 4].

   10.0.0.0/8 - This block is set aside for use in private networks.
   Its intended use is documented in [RFC1918].  Addresses within this
   block should not appear on the public Internet.

   14.0.0.0/8 - This block is set aside for assignments to the
   international system of Public Data Networks [RFC1700, page 181]. The
   registry of assignments within this block can be accessed from the
   "Public Data Network Numbers" link on the web page at
   http://www.iana.org/numbers.html.  Addresses within this block are
   assigned to users and should be treated as such.

   24.0.0.0/8 - This block was allocated in early 1996 for use in
   provisioning IP service over cable television systems.  Although the
   IANA initially was involved in making assignments to cable operators,
   this responsibility was transferred to American Registry for Internet
   Numbers (ARIN) in May 2001.  Addresses within this block are assigned
   in the normal manner and should be treated as such.

   39.0.0.0/8 - This block was used in the "Class A Subnet Experiment"
   that commenced in May 1995, as documented in [RFC1797].  The
   experiment has been completed and this block has been returned to the
   pool of addresses reserved for future allocation or assignment.  This
   block therefore no longer has a special use and is subject to
   allocation to a Regional Internet Registry for assignment in the
   normal manner.

   127.0.0.0/8 - This block is assigned for use as the Internet host
   loopback address.  A datagram sent by a higher level protocol to an
   address anywhere within this block should loop back inside the host.
   This is ordinarily implemented using only 127.0.0.1/32 for loopback,
   but no addresses within this block should ever appear on any network
   anywhere [RFC1700, page 5].

   128.0.0.0/16 - This block, corresponding to the numerically lowest of
   the former Class B addresses, was initially and is still reserved by
   the IANA.  Given the present classless nature of the IP address
   space, the basis for the reservation no longer applies and addresses
   in this block are subject to future allocation to a Regional Internet
   Registry for assignment in the normal manner.





IANA                         Informational                      [Page 2]

RFC 3330               Special-Use IPv4 Addresses         September 2002


   169.254.0.0/16 - This is the "link local" block.  It is allocated for
   communication between hosts on a single link.  Hosts obtain these
   addresses by auto-configuration, such as when a DHCP server may not
   be found.

   172.16.0.0/12 - This block is set aside for use in private networks.
   Its intended use is documented in [RFC1918].  Addresses within this
   block should not appear on the public Internet.

   191.255.0.0/16 - This block, corresponding to the numerically highest
   to the former Class B addresses, was initially and is still reserved
   by the IANA.  Given the present classless nature of the IP address
   space, the basis for the reservation no longer applies and addresses
   in this block are subject to future allocation to a Regional Internet
   Registry for assignment in the normal manner.

   192.0.0.0/24 - This block, corresponding to the numerically lowest of
   the former Class C addresses, was initially and is still reserved by
   the IANA.  Given the present classless nature of the IP address
   space, the basis for the reservation no longer applies and addresses
   in this block are subject to future allocation to a Regional Internet
   Registry for assignment in the normal manner.

   192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
   documentation and example code.  It is often used in conjunction with
   domain names example.com or example.net in vendor and protocol
   documentation.  Addresses within this block should not appear on the
   public Internet.

   192.88.99.0/24 - This block is allocated for use as 6to4 relay
   anycast addresses, according to [RFC3068].

   192.168.0.0/16 - This block is set aside for use in private networks.
   Its intended use is documented in [RFC1918].  Addresses within this
   block should not appear on the public Internet.

   198.18.0.0/15 - This block has been allocated for use in benchmark
   tests of network interconnect devices.  Its use is documented in
   [RFC2544].

   223.255.255.0/24 - This block, corresponding to the numerically
   highest of the former Class C addresses, was initially and is still
   reserved by the IANA.  Given the present classless nature of the IP
   address space, the basis for the reservation no longer applies and
   addresses in this block are subject to future allocation to a
   Regional Internet Registry for assignment in the normal manner.





IANA                         Informational                      [Page 3]

RFC 3330               Special-Use IPv4 Addresses         September 2002


   224.0.0.0/4 - This block, formerly known as the Class D address
   space, is allocated for use in IPv4 multicast address assignments.
   The IANA guidelines for assignments from this space are described in
   [RFC3171].

   240.0.0.0/4 - This block, formerly known as the Class E address
   space, is reserved.  The "limited broadcast" destination address
   255.255.255.255 should never be forwarded outside the (sub-)net of
   the source.  The remainder of this space is reserved for future use.
   [RFC1700, page 4]

3. Summary Table

   Address Block             Present Use                       Reference
   ---------------------------------------------------------------------
   0.0.0.0/8            "This" Network                 [RFC1700, page 4]
   10.0.0.0/8           Private-Use Networks                   [RFC1918]
   14.0.0.0/8           Public-Data Networks         [RFC1700, page 181]
   24.0.0.0/8           Cable Television Networks                    --
   39.0.0.0/8           Reserved but subject
                           to allocation                       [RFC1797]
   127.0.0.0/8          Loopback                       [RFC1700, page 5]
   128.0.0.0/16         Reserved but subject
                           to allocation                             --
   169.254.0.0/16       Link Local                                   --
   172.16.0.0/12        Private-Use Networks                   [RFC1918]
   191.255.0.0/16       Reserved but subject
                           to allocation                             --
   192.0.0.0/24         Reserved but subject
                           to allocation                             --
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                     [RFC3068]
   192.168.0.0/16       Private-Use Networks                   [RFC1918]
   198.18.0.0/15        Network Interconnect
                           Device Benchmark Testing            [RFC2544]
   223.255.255.0/24     Reserved but subject
                           to allocation                             --
   224.0.0.0/4          Multicast                              [RFC3171]
   240.0.0.0/4          Reserved for Future Use        [RFC1700, page 4]

4. Assignments of IPv4 Blocks for New Specialized Uses

   The IANA has responsibility for making assignments of protocol
   parameters used in the Internet according to the requirements of the
   "Memorandum of Understanding Concerning the Technical Work of the
   Internet Assigned Numbers Authority" [RFC2860].  Among other things,
   [RFC2860] requires that protocol parameters be assigned according to




IANA                         Informational                      [Page 4]

RFC 3330               Special-Use IPv4 Addresses         September 2002


   the criteria and procedures specified in RFCs, including Proposed,
   Draft, and full Internet Standards and Best Current Practice
   documents, and any other RFC that calls for IANA assignment.

   The domain name and IP address spaces involve policy issues (in
   addition to technical issues) so that the requirements of [RFC2860]
   do not apply generally to those spaces.  Nonetheless, the IANA is
   responsible for ensuring assignments of IPv4 addresses as needed in
   support of the Internet Standards Process.  When a portion of the
   IPv4 address space is specifically required by an RFC, the technical
   requirements (e.g., size, prefix length) for the portion should be
   described [RFC2434].  Immediately before the RFC is published, the
   IANA will, in consultation with the Regional Internet Registries,
   make the necessary assignment and notify the RFC Editor of the
   particulars for inclusion in the RFC as published.

   As required by [RFC2860], the IANA will also make necessary
   experimental assignments of IPv4 addresses, also in consultation with
   the Regional Internet Registries.

5. Security Considerations

   The particular assigned values of special-use IPv4 addresses
   cataloged in this document do not directly raise security issues.
   However, the Internet does not inherently protect against abuse of
   these addresses; if you expect (for instance) that all packets from
   the 10.0.0.0/8 block originate within your subnet, all border routers
   should filter such packets that originate from elsewhere.  Attacks
   have been mounted that depend on the unexpected use of some of these
   addresses.

6. IANA Considerations

   This document describes the IANA's past and current practices and
   does not create any new requirements for assignments or allocations
   by the IANA.

7. References

   [RFC1174] Cerf, V., "IAB Recommended Policy on Distributing Internet
             Identifier Assignment and IAB Recommended Policy Change to
             Internet 'Connected' Status", RFC 1174, August 1990.

   [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC
             1700, October 1994.

   [RFC1797] IANA, "Class A Subnet Experiment", RFC 1797, April 1995.




IANA                         Informational                      [Page 5]

RFC 3330               Special-Use IPv4 Addresses         September 2002


   [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
             J., and E. Lear, "Address Allocation for Private
             Internets", BCP 5, RFC 1918, February 1996.

   [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and
             J. Postel, "Internet Registry IP Allocation Guidelines",
             BCP 12, RFC 2050, November 1996.

   [RFC2434] Narten, T., and H. Alvestrand, "Guidelines for Writing an
             IANA Considerations Section in RFCs", BCP 26, RFC 2434,
             October 1998.

   [RFC2544] Bradner, S., and J. McQuaid, "Benchmarking Methodology for
             Network Interconnect Devices", RFC 2544, March 1999.

   [RFC2860] Carpenter, B., Baker, F., and M. Roberts, "Memorandum of
             Understanding Concerning the Technical Work of the Internet
             Assigned Numbers Authority", RFC 2860, June 2000.

   [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
             RFC 3068, June 2001.

   [RFC3171] Albanna, Z., Almeroth, K., Meyer, D., and M. Schipper,
             "IANA Guidelines for IPv4 Multicast Address Assignments",
             BCP 51, RFC 3171, August 2001.

   [RFC3232] Reynolds, J. Ed., "Assigned Numbers: RFC 1700 is Replaced
             by an On-line Database", RFC 3232, January 2002.

8. Acknowledgments

   Many people have made comments on draft versions of this document.
   The IANA would especially like to thank Scott Bradner, Randy Bush,
   and Harald Alvestrand for their constructive feedback and comments.

9. Author's Address

   Internet Assigned Numbers Authority (IANA)
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6601

   Phone: +1 310-823-9358
   Fax:   +1 310-823-8649
   EMail: iana@iana.org







IANA                         Informational                      [Page 6]

RFC 3330               Special-Use IPv4 Addresses         September 2002


10.  Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















IANA                         Informational                      [Page 7]

rfc3330.txt (16,200 bytes)   

bjobjo

2017-04-04 16:29

reporter   ~0005543

Hi,

The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.

Please change all links to https.

I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).

So please, secure all our sites and make it state of the art.

Thanks a lot for the hard work!

Ted

2021-08-05 18:29

administrator   ~0006043

I just tried, and it seems to have been fixed... Please someone else check it before we can close it...

alkas

2021-08-05 19:38

manager   ~0006046

I just have tried too, but probably because I have CAcert roots installed, the http://... immediately changed to https://...

Golffies

2021-08-06 10:27

manager   ~0006052

@Alkaš: To restore access to the http version of the site, you need to reset the "site preferences" kept by Firefox. Please see: https://stackoverflow.com/questions/30532471/firefox-redirects-to-https

Ted

2021-08-06 11:13

administrator   ~0006053

Note that since new users are not able to file bugs anyway (since 2020), the comment of @Sourcerer from 2009 is somewhat obsolete.

IMHO access to the server can be restricted to HTTPS. Most people "file a bug" by mailing to support anyway...

alkas

2021-08-06 12:55

manager   ~0006054

My Firefox 90.0.2/64 for Ubuntu reports that the server bugs.cacert.org uses HSTS and forces https://... connection. It also reports that there is nothing I can do. I have set the distrust tu CAcert root, even after that the http:// switched to https://, and the server connection was rejected, as expected. So my conclusion is that anyone is unable to http:// connect as long as HSTS is set on the server.

alkas

2021-08-06 16:48

manager   ~0006056

Next try using https://stackoverflow.com/questions/30532471/firefox-redirects-to-https. I must admit that Firefox's talking about HSTS is misleading. After that, I am able to reach bugs.cacert.org with http://, and then I am also able to login. Firefox only says: Unsecured connection. I am also allowed to add this note.

jandd

2021-08-07 11:02

administrator   ~0006062

Is it still a valid assumption that bug submission via http is a feature (like in the comment from @Sourcerer from 2009)? Do we trust the ISPs/network operators of all of our users or on the way to our systems?

From my point of view we should have a simple way to collect bug reports from users that cannot install CAcert CA certificates but from a privacy point of view this should be secured too (maybe a separate form secured with a letsencrypt server certificate). Redirecting all http access to https would make administration/maintenance easier.

Ted

2021-08-07 18:01

administrator   ~0006063

Currently, new users are only viewers, not reporters anymore, due to increasing SPAM in form of bug reports.

So, bugs.cacert.org is not open for bug reports of "the general public" anyway. Given this, I'd consider http access to bugs.cacert.org as more or less obsolete. It might be nice for read-only (non-login) access if this is easily possible, but I guess redirecting the whole traffic (as @jandd proposes) will be considerably easier.

But, I don't want to make this decision alone...

alkas

2021-08-07 19:39

manager   ~0006066

If I understood well:
1. Restriction to https (needs CAcert roots installed)
2. Reports could be added if an user has a valid client certificate.
3. Reports could be added if an user has no client certs. He could use credentials he has set when he created his account.
Why cannot an user use his account's credentials (username /=email/, and password) ?

Ted

2021-08-07 19:46

administrator   ~0006067

Last edited: 2021-08-07 19:48

@alkas, I don't think you did understand my point. I'll try it a third time.

Currently new users can not create new issues. Not before first contacting a mantis admin at CAcert who must grant them reporter access.

This is not related to the HTTP/HTTPS-issue. Reporting of bugs by new users has been disabled in 2020 because it was abused more and more to post SPAM. But this change obsoletes the reasoning of @Sourcerer, that http (non -s) is needed so "newbies" can create issues.

alkas

2021-08-07 20:21

manager   ~0006069

@Ted,
"Not before first contacting a mantis admin at CAcert who must grant them reporter access."
What I tried to do, is only to propose skipping the above step. That step does protect against spam, because a spammer can create an account, then ask Mantis admin, then make spam messages, but reviewers know spammer's identity. If everybody who has an account can add issues, the situation is the same: admin and reviewers know his identity.
I share your points about HTTP/S and spammers creating "issues" via http and no cert.

A related problem: when I want to connect to Bugs, I am asking for a valid client cert at first, Only then I am able to login = to say who I am.
Why is my client certificate insufficient, despite I am assured with 100 AP ? Is it only a technical problem ?

Ted

2021-08-07 20:39

administrator   ~0006070

@alkas ok, I did not read that from your last comment. Now it seems that we agree in most points. :-)

Probably no newbie will ever contact a mantis admin and ask for right elevation.
Should this happen nevertheless, the mantis admin should ask which error they want to report. If they can give a sensible answer to this question they won't be spammers. At least not in the beginning... Let's wait till AIs can handle that situation and re-evaluate then. ;-)
(BTW, knowing/blocking identities does not really help if these "identities" are throwaway mail addresses)

But, IMHO a more sensible process for newbies having problems would be that they write a mail to support (preferably the mailinglist, which indeed has some active users). If the support mailing list decides that the report is indeed something that belongs into mantis some mailing list user with reporter access (I'm quite sure that there are several) should create the issue.

So, to come back to the current issue, I really do not see the need for HTTP access. People active in the support mailing list should be able to import CAcert's roots.

Issue History

Date Modified Username Field Change
2009-01-03 20:22 ph3 New Issue
2009-01-04 19:35 Sourcerer Note Added: 0001265
2009-06-05 12:52 Daniel Black Project Main CAcert Website => bugs.cacert.org
2013-07-10 23:59 BenBE Relationship added related to 0001116
2014-10-04 09:53 Ruel Print File Added: rfc3330.txt
2014-10-04 09:54 Ruel Print File Added: dd.exe
2017-04-04 16:29 bjobjo Note Added: 0005543
2020-07-02 08:49 jandd File Deleted: dd.exe
2021-08-05 18:29 Ted Note Added: 0006043
2021-08-05 19:38 alkas Note Added: 0006046
2021-08-06 10:27 Golffies Note Added: 0006052
2021-08-06 11:13 Ted Note Added: 0006053
2021-08-06 12:55 alkas Note Added: 0006054
2021-08-06 16:48 alkas Note Added: 0006056
2021-08-07 11:02 jandd Note Added: 0006062
2021-08-07 18:01 Ted Note Added: 0006063
2021-08-07 19:39 alkas Note Added: 0006066
2021-08-07 19:46 Ted Note Added: 0006067
2021-08-07 19:47 Ted Note Edited: 0006067
2021-08-07 19:48 Ted Note Edited: 0006067
2021-08-07 20:21 alkas Note Added: 0006069
2021-08-07 20:39 Ted Note Added: 0006070