View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000666||bugs.cacert.org||misc||public||2009-01-03 20:22||2021-08-07 20:39|
|Platform||Main CAcert Website||OS||N/A||OS Version||stable|
|Summary||0000666: Mantis allows login without SSL/TLS|
|Description||Mantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.|
|Additional Information||Possible fix:|
check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING in case if HTTP. As it will mainly redirect on the login page this should not break something.
|Tags||No tags attached.|
The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/
rfc3330.txt (16,200 bytes)
Network Working Group IANA Request for Comments: 3330 September 2002 Category: Informational Special-Use IPv4 Addresses Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries. It also does not address allocations or assignments of IPv6 addresses or autonomous system numbers. 1. Introduction Throughout its entire history, the Internet has employed a central Internet Assigned Numbers Authority (IANA) responsible for the allocation and assignment of various identifiers needed for the operation of the Internet [RFC1174]. In the case of the IPv4 address space, the IANA allocates parts of the address space to Regional Internet Registries according to their established needs. These Regional Internet Registries are responsible for the assignment of IPv4 addresses to operators and users of the Internet within their regions. Minor portions of the IPv4 address space have been allocated or assigned directly by the IANA for global or other specialized purposes. These allocations and assignments have been documented in a variety of RFCs and other documents. This document is intended to collect these scattered references. On an ongoing basis, the IANA has been designated by the IETF to make assignments in support of the Internet Standards Process [RFC2860]. Section 4 of this document describes that assignment process. IANA Informational [Page 1] RFC 3330 Special-Use IPv4 Addresses September 2002 2. Global and Other Specialized Address Blocks 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]. 10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 126.96.36.199/8 - This block is set aside for assignments to the international system of Public Data Networks [RFC1700, page 181]. The registry of assignments within this block can be accessed from the "Public Data Network Numbers" link on the web page at http://www.iana.org/numbers.html. Addresses within this block are assigned to users and should be treated as such. 188.8.131.52/8 - This block was allocated in early 1996 for use in provisioning IP service over cable television systems. Although the IANA initially was involved in making assignments to cable operators, this responsibility was transferred to American Registry for Internet Numbers (ARIN) in May 2001. Addresses within this block are assigned in the normal manner and should be treated as such. 184.108.40.206/8 - This block was used in the "Class A Subnet Experiment" that commenced in May 1995, as documented in [RFC1797]. The experiment has been completed and this block has been returned to the pool of addresses reserved for future allocation or assignment. This block therefore no longer has a special use and is subject to allocation to a Regional Internet Registry for assignment in the normal manner. 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. 220.127.116.11/16 - This block, corresponding to the numerically lowest of the former Class B addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. IANA Informational [Page 2] RFC 3330 Special-Use IPv4 Addresses September 2002 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. 172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 18.104.22.168/16 - This block, corresponding to the numerically highest to the former Class B addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. 192.0.0.0/24 - This block, corresponding to the numerically lowest of the former Class C addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. 192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. 22.214.171.124/24 - This block is allocated for use as 6to4 relay anycast addresses, according to [RFC3068]. 192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. 198.18.0.0/15 - This block has been allocated for use in benchmark tests of network interconnect devices. Its use is documented in [RFC2544]. 126.96.36.199/24 - This block, corresponding to the numerically highest of the former Class C addresses, was initially and is still reserved by the IANA. Given the present classless nature of the IP address space, the basis for the reservation no longer applies and addresses in this block are subject to future allocation to a Regional Internet Registry for assignment in the normal manner. IANA Informational [Page 3] RFC 3330 Special-Use IPv4 Addresses September 2002 188.8.131.52/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. 240.0.0.0/4 - This block, formerly known as the Class E address space, is reserved. The "limited broadcast" destination address 255.255.255.255 should never be forwarded outside the (sub-)net of the source. The remainder of this space is reserved for future use. [RFC1700, page 4] 3. Summary Table Address Block Present Use Reference --------------------------------------------------------------------- 0.0.0.0/8 "This" Network [RFC1700, page 4] 10.0.0.0/8 Private-Use Networks [RFC1918] 184.108.40.206/8 Public-Data Networks [RFC1700, page 181] 220.127.116.11/8 Cable Television Networks -- 18.104.22.168/8 Reserved but subject to allocation [RFC1797] 127.0.0.0/8 Loopback [RFC1700, page 5] 22.214.171.124/16 Reserved but subject to allocation -- 169.254.0.0/16 Link Local -- 172.16.0.0/12 Private-Use Networks [RFC1918] 126.96.36.199/16 Reserved but subject to allocation -- 192.0.0.0/24 Reserved but subject to allocation -- 192.0.2.0/24 Test-Net 188.8.131.52/24 6to4 Relay Anycast [RFC3068] 192.168.0.0/16 Private-Use Networks [RFC1918] 198.18.0.0/15 Network Interconnect Device Benchmark Testing [RFC2544] 184.108.40.206/24 Reserved but subject to allocation -- 220.127.116.11/4 Multicast [RFC3171] 240.0.0.0/4 Reserved for Future Use [RFC1700, page 4] 4. Assignments of IPv4 Blocks for New Specialized Uses The IANA has responsibility for making assignments of protocol parameters used in the Internet according to the requirements of the "Memorandum of Understanding Concerning the Technical Work of the Internet Assigned Numbers Authority" [RFC2860]. Among other things, [RFC2860] requires that protocol parameters be assigned according to IANA Informational [Page 4] RFC 3330 Special-Use IPv4 Addresses September 2002 the criteria and procedures specified in RFCs, including Proposed, Draft, and full Internet Standards and Best Current Practice documents, and any other RFC that calls for IANA assignment. The domain name and IP address spaces involve policy issues (in addition to technical issues) so that the requirements of [RFC2860] do not apply generally to those spaces. Nonetheless, the IANA is responsible for ensuring assignments of IPv4 addresses as needed in support of the Internet Standards Process. When a portion of the IPv4 address space is specifically required by an RFC, the technical requirements (e.g., size, prefix length) for the portion should be described [RFC2434]. Immediately before the RFC is published, the IANA will, in consultation with the Regional Internet Registries, make the necessary assignment and notify the RFC Editor of the particulars for inclusion in the RFC as published. As required by [RFC2860], the IANA will also make necessary experimental assignments of IPv4 addresses, also in consultation with the Regional Internet Registries. 5. Security Considerations The particular assigned values of special-use IPv4 addresses cataloged in this document do not directly raise security issues. However, the Internet does not inherently protect against abuse of these addresses; if you expect (for instance) that all packets from the 10.0.0.0/8 block originate within your subnet, all border routers should filter such packets that originate from elsewhere. Attacks have been mounted that depend on the unexpected use of some of these addresses. 6. IANA Considerations This document describes the IANA's past and current practices and does not create any new requirements for assignments or allocations by the IANA. 7. References [RFC1174] Cerf, V., "IAB Recommended Policy on Distributing Internet Identifier Assignment and IAB Recommended Policy Change to Internet 'Connected' Status", RFC 1174, August 1990. [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994. [RFC1797] IANA, "Class A Subnet Experiment", RFC 1797, April 1995. IANA Informational [Page 5] RFC 3330 Special-Use IPv4 Addresses September 2002 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and J. Postel, "Internet Registry IP Allocation Guidelines", BCP 12, RFC 2050, November 1996. [RFC2434] Narten, T., and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC2544] Bradner, S., and J. McQuaid, "Benchmarking Methodology for Network Interconnect Devices", RFC 2544, March 1999. [RFC2860] Carpenter, B., Baker, F., and M. Roberts, "Memorandum of Understanding Concerning the Technical Work of the Internet Assigned Numbers Authority", RFC 2860, June 2000. [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC 3068, June 2001. [RFC3171] Albanna, Z., Almeroth, K., Meyer, D., and M. Schipper, "IANA Guidelines for IPv4 Multicast Address Assignments", BCP 51, RFC 3171, August 2001. [RFC3232] Reynolds, J. Ed., "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002. 8. Acknowledgments Many people have made comments on draft versions of this document. The IANA would especially like to thank Scott Bradner, Randy Bush, and Harald Alvestrand for their constructive feedback and comments. 9. Author's Address Internet Assigned Numbers Authority (IANA) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6601 Phone: +1 310-823-9358 Fax: +1 310-823-8649 EMail: email@example.com IANA Informational [Page 6] RFC 3330 Special-Use IPv4 Addresses September 2002 10. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. IANA Informational [Page 7]
rfc3330.txt (16,200 bytes)
The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.
Please change all links to https.
I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).
So please, secure all our sites and make it state of the art.
Thanks a lot for the hard work!
||I just tried, and it seems to have been fixed... Please someone else check it before we can close it...|
||I just have tried too, but probably because I have CAcert roots installed, the http://... immediately changed to https://...|
|@Alkaš: To restore access to the http version of the site, you need to reset the "site preferences" kept by Firefox. Please see: https://stackoverflow.com/questions/30532471/firefox-redirects-to-https|
Note that since new users are not able to file bugs anyway (since 2020), the comment of @Sourcerer from 2009 is somewhat obsolete.
IMHO access to the server can be restricted to HTTPS. Most people "file a bug" by mailing to support anyway...
||My Firefox 90.0.2/64 for Ubuntu reports that the server bugs.cacert.org uses HSTS and forces https://... connection. It also reports that there is nothing I can do. I have set the distrust tu CAcert root, even after that the http:// switched to https://, and the server connection was rejected, as expected. So my conclusion is that anyone is unable to http:// connect as long as HSTS is set on the server.|
||Next try using https://stackoverflow.com/questions/30532471/firefox-redirects-to-https. I must admit that Firefox's talking about HSTS is misleading. After that, I am able to reach bugs.cacert.org with http://, and then I am also able to login. Firefox only says: Unsecured connection. I am also allowed to add this note.|
Is it still a valid assumption that bug submission via http is a feature (like in the comment from @Sourcerer from 2009)? Do we trust the ISPs/network operators of all of our users or on the way to our systems?
From my point of view we should have a simple way to collect bug reports from users that cannot install CAcert CA certificates but from a privacy point of view this should be secured too (maybe a separate form secured with a letsencrypt server certificate). Redirecting all http access to https would make administration/maintenance easier.
Currently, new users are only viewers, not reporters anymore, due to increasing SPAM in form of bug reports.
So, bugs.cacert.org is not open for bug reports of "the general public" anyway. Given this, I'd consider http access to bugs.cacert.org as more or less obsolete. It might be nice for read-only (non-login) access if this is easily possible, but I guess redirecting the whole traffic (as @jandd proposes) will be considerably easier.
But, I don't want to make this decision alone...
If I understood well:
1. Restriction to https (needs CAcert roots installed)
2. Reports could be added if an user has a valid client certificate.
3. Reports could be added if an user has no client certs. He could use credentials he has set when he created his account.
Why cannot an user use his account's credentials (username /=email/, and password) ?
@alkas, I don't think you did understand my point. I'll try it a third time.
Currently new users can not create new issues. Not before first contacting a mantis admin at CAcert who must grant them reporter access.
This is not related to the HTTP/HTTPS-issue. Reporting of bugs by new users has been disabled in 2020 because it was abused more and more to post SPAM. But this change obsoletes the reasoning of @Sourcerer, that http (non -s) is needed so "newbies" can create issues.
"Not before first contacting a mantis admin at CAcert who must grant them reporter access."
What I tried to do, is only to propose skipping the above step. That step does protect against spam, because a spammer can create an account, then ask Mantis admin, then make spam messages, but reviewers know spammer's identity. If everybody who has an account can add issues, the situation is the same: admin and reviewers know his identity.
I share your points about HTTP/S and spammers creating "issues" via http and no cert.
A related problem: when I want to connect to Bugs, I am asking for a valid client cert at first, Only then I am able to login = to say who I am.
Why is my client certificate insufficient, despite I am assured with 100 AP ? Is it only a technical problem ?
@alkas ok, I did not read that from your last comment. Now it seems that we agree in most points. :-)
Probably no newbie will ever contact a mantis admin and ask for right elevation.
Should this happen nevertheless, the mantis admin should ask which error they want to report. If they can give a sensible answer to this question they won't be spammers. At least not in the beginning... Let's wait till AIs can handle that situation and re-evaluate then. ;-)
(BTW, knowing/blocking identities does not really help if these "identities" are throwaway mail addresses)
But, IMHO a more sensible process for newbies having problems would be that they write a mail to support (preferably the mailinglist, which indeed has some active users). If the support mailing list decides that the report is indeed something that belongs into mantis some mailing list user with reporter access (I'm quite sure that there are several) should create the issue.
So, to come back to the current issue, I really do not see the need for HTTP access. People active in the support mailing list should be able to import CAcert's roots.
|2009-01-03 20:22||ph3||New Issue|
|2009-01-04 19:35||Sourcerer||Note Added: 0001265|
|2009-06-05 12:52||Daniel Black||Project||Main CAcert Website => bugs.cacert.org|
|2013-07-10 23:59||BenBE||Relationship added||related to 0001116|
|2014-10-04 09:53||Ruel Print||File Added: rfc3330.txt|
|2014-10-04 09:54||Ruel Print||File Added: dd.exe|
|2017-04-04 16:29||bjobjo||Note Added: 0005543|
|2020-07-02 08:49||jandd||File Deleted: dd.exe|
|2021-08-05 18:29||Ted||Note Added: 0006043|
|2021-08-05 19:38||alkas||Note Added: 0006046|
||Note Added: 0006052|
|2021-08-06 11:13||Ted||Note Added: 0006053|
|2021-08-06 12:55||alkas||Note Added: 0006054|
|2021-08-06 16:48||alkas||Note Added: 0006056|
|2021-08-07 11:02||jandd||Note Added: 0006062|
|2021-08-07 18:01||Ted||Note Added: 0006063|
|2021-08-07 19:39||alkas||Note Added: 0006066|
|2021-08-07 19:46||Ted||Note Added: 0006067|
|2021-08-07 19:47||Ted||Note Edited: 0006067|
|2021-08-07 19:48||Ted||Note Edited: 0006067|
|2021-08-07 20:21||alkas||Note Added: 0006069|
|2021-08-07 20:39||Ted||Note Added: 0006070|