View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000666||bugs.cacert.org||misc||public||2009-01-03 20:22||2017-11-08 15:19|
|Platform||Main CAcert Website||OS||N/A||OS Version||stable|
|Summary||0000666: Mantis allows login without SSL/TLS|
|Description||Mantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.|
|Additional Information||Possible fix:|
check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING in case if HTTP. As it will mainly redirect on the login page this should not break something.
|Tags||No tags attached.|
The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/
rfc3330.txt (16,200 bytes)
Network Working Group IANA Request for Comments: 3330 September 2002 Category: Informational Special-Use IPv4 Addresses Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries. It also does not address allocations or assignments of IPv6 addresses or autonomous system numbers. 1. Introduction Throughout its entire history, the Internet has employed a central Internet Assigned Numbers Authority (IANA) responsible for the allocation and assignment of various identifiers needed for the operation of the Internet [RFC1174]. In the case of the IPv4 address space, the IANA allocates parts of the address space to Regional Internet Registries according to their established needs. These Regional Internet Registries are responsible for the assignment of IPv4 addresses to operators and users of the Internet within their regions. Minor portions of the IPv4 address space have been allocated or assigned directly by the IANA for global or other specialized purposes. These allocations and assignments have been documented in a variety of RFCs and other documents. This document is intended to collect these scattered references. On an ongoing basis, the IANA has been designated by the IETF to make assignments in support of the Internet Standards Process [RFC2860]. Section 4 of this document describes that assignment process. IANA Informational [Page 1] RFC 3330 Special-Use IPv4 Addresses September 2002 2. Global and Other Specialized Address Blocks 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]. 10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 18.104.22.168/8 - This block is set aside for assignments to the international system of Public Data Networks [RFC1700, page 181]. The registry of assignments within this block can be accessed from the "Public Data Network Numbers" link on the web page at http://www.iana.org/numbers.html. Addresses within this block are assigned to users and should be treated as such. 22.214.171.124/8 - This block was allocated in early 1996 for use in provisioning IP service over cable television systems. Although the IANA initially was involved in making assignments to cable operators, this responsibility was transferred to American Registry for Internet Numbers (ARIN) in May 2001. Addresses within this block are assigned in the normal manner and should be treated as such. 126.96.36.199/8 - This block was used in the "Class A Subnet Experiment" that commenced in May 1995, as documented in [RFC1797]. The experiment has been completed and this block has been returned to the pool of addresses reserved for future allocation or assignment. This block therefore no longer has a special use and is subject to allocation to a Regional Internet Registry for assignment in the normal manner. 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. 188.8.131.52/16 - This block, corresponding to the numerically lowest of the former Class B addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. IANA Informational [Page 2] RFC 3330 Special-Use IPv4 Addresses September 2002 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. 172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 184.108.40.206/16 - This block, corresponding to the numerically highest to the former Class B addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. 192.0.0.0/24 - This block, corresponding to the numerically lowest of the former Class C addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. 192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. 220.127.116.11/24 - This block is allocated for use as 6to4 relay anycast addresses, according to [RFC3068]. 192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 198.18.0.0/15 - This block has been allocated for use in benchmark tests of network interconnect devices. Its use is documented in [RFC2544]. 18.104.22.168/24 - This block, corresponding to the numerically highest of the former Class C addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. IANA Informational [Page 3] RFC 3330 Special-Use IPv4 Addresses September 2002 22.214.171.124/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. 240.0.0.0/4 - This block, formerly known as the Class E address space, is reserved. The "limited broadcast" destination address 255.255.255.255 should never be forwarded outside the (sub-)net of the source. The remainder of this space is reserved for future use. [RFC1700, page 4] 3. Summary Table Address Block Present Use Reference --------------------------------------------------------------------- 0.0.0.0/8 "This" Network [RFC1700, page 4] 10.0.0.0/8 Private-Use Networks [RFC1918] 126.96.36.199/8 Public-Data Networks [RFC1700, page 181] 188.8.131.52/8 Cable Television Networks -- 184.108.40.206/8 Reserved but subject to allocation [RFC1797] 127.0.0.0/8 Loopback [RFC1700, page 5] 220.127.116.11/16 Reserved but subject to allocation -- 169.254.0.0/16 Link Local -- 172.16.0.0/12 Private-Use Networks [RFC1918] 18.104.22.168/16 Reserved but subject to allocation -- 192.0.0.0/24 Reserved but subject to allocation -- 192.0.2.0/24 Test-Net 22.214.171.124/24 6to4 Relay Anycast [RFC3068] 192.168.0.0/16 Private-Use Networks [RFC1918] 198.18.0.0/15 Network Interconnect Device Benchmark Testing [RFC2544] 126.96.36.199/24 Reserved but subject to allocation -- 188.8.131.52/4 Multicast [RFC3171] 240.0.0.0/4 Reserved for Future Use [RFC1700, page 4] 4. Assignments of IPv4 Blocks for New Specialized Uses The IANA has responsibility for making assignments of protocol parameters used in the Internet according to the requirements of the "Memorandum of Understanding Concerning the Technical Work of the Internet Assigned Numbers Authority" [RFC2860]. Among other things, [RFC2860] requires that protocol parameters be assigned according to IANA Informational [Page 4] RFC 3330 Special-Use IPv4 Addresses September 2002 the criteria and procedures specified in RFCs, including Proposed, Draft, and full Internet Standards and Best Current Practice documents, and any other RFC that calls for IANA assignment. The domain name and IP address spaces involve policy issues (in addition to technical issues) so that the requirements of [RFC2860] do not apply generally to those spaces. Nonetheless, the IANA is responsible for ensuring assignments of IPv4 addresses as needed in support of the Internet Standards Process. When a portion of the IPv4 address space is specifically required by an RFC, the technical requirements (e.g., size, prefix length) for the portion should be described [RFC2434]. Immediately before the RFC is published, the IANA will, in consultation with the Regional Internet Registries, make the necessary assignment and notify the RFC Editor of the particulars for inclusion in the RFC as published. As required by [RFC2860], the IANA will also make necessary experimental assignments of IPv4 addresses, also in consultation with the Regional Internet Registries. 5. Security Considerations The particular assigned values of special-use IPv4 addresses cataloged in this document do not directly raise security issues. However, the Internet does not inherently protect against abuse of these addresses; if you expect (for instance) that all packets from the 10.0.0.0/8 block originate within your subnet, all border routers should filter such packets that originate from elsewhere. Attacks have been mounted that depend on the unexpected use of some of these addresses. 6. IANA Considerations This document describes the IANA's past and current practices and does not create any new requirements for assignments or allocations by the IANA. 7. References [RFC1174] Cerf, V., "IAB Recommended Policy on Distributing Internet Identifier Assignment and IAB Recommended Policy Change to Internet 'Connected' Status", RFC 1174, August 1990. [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994. [RFC1797] IANA, "Class A Subnet Experiment", RFC 1797, April 1995. IANA Informational [Page 5] RFC 3330 Special-Use IPv4 Addresses September 2002 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and J. Postel, "Internet Registry IP Allocation Guidelines", BCP 12, RFC 2050, November 1996. [RFC2434] Narten, T., and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC2544] Bradner, S., and J. McQuaid, "Benchmarking Methodology for Network Interconnect Devices", RFC 2544, March 1999. [RFC2860] Carpenter, B., Baker, F., and M. Roberts, "Memorandum of Understanding Concerning the Technical Work of the Internet Assigned Numbers Authority", RFC 2860, June 2000. [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC 3068, June 2001. [RFC3171] Albanna, Z., Almeroth, K., Meyer, D., and M. Schipper, "IANA Guidelines for IPv4 Multicast Address Assignments", BCP 51, RFC 3171, August 2001. [RFC3232] Reynolds, J. Ed., "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002. 8. Acknowledgments Many people have made comments on draft versions of this document. The IANA would especially like to thank Scott Bradner, Randy Bush, and Harald Alvestrand for their constructive feedback and comments. 9. Author's Address Internet Assigned Numbers Authority (IANA) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6601 Phone: +1 310-823-9358 Fax: +1 310-823-8649 EMail: email@example.com IANA Informational [Page 6] RFC 3330 Special-Use IPv4 Addresses September 2002 10. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. IANA Informational [Page 7]
rfc3330.txt (16,200 bytes)
dd.exe (87,552 bytes)
The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.
Please change all links to https.
I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).
So please, secure all our sites and make it state of the art.
Thanks a lot for the hard work!
|2009-01-03 20:22||ph3||New Issue|
|2009-01-04 19:35||Sourcerer||Note Added: 0001265|
|2009-06-05 12:52||Daniel Black||Project||Main CAcert Website => bugs.cacert.org|
|2013-07-10 23:59||BenBE||Relationship added||related to 0001116|
|2014-10-04 09:53||Ruel Print||File Added: rfc3330.txt|
|2014-10-04 09:54||Ruel Print||File Added: dd.exe|
|2017-04-04 16:29||bjobjo||Note Added: 0005543|