CAcert Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000666bugs.cacert.orgmiscpublic2009-01-03 20:222017-04-04 16:29
Reporterph3 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0000666: Mantis allows login without SSL/TLS
DescriptionMantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.
Additional InformationPossible fix:

check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING [^] in case if HTTP. As it will mainly redirect on the login page this should not break something.
TagsNo tags attached.
Attached Filestxt file icon rfc3330.txt [^] (16,200 bytes) 2014-10-04 09:53 [Show Content]
? file icon dd.exe [^] (87,552 bytes) 2014-10-04 09:54

- Relationships
related to 0001116closedNEOatNHNG Setup HSTS for Bugtracker 

-  Notes
(0001265)
Sourcerer (administrator)
2009-01-04 19:35

The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/ [^]
(0005543)
bjobjo (reporter)
2017-04-04 16:29

Hi,

The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.

Please change all links to https.

I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).

So please, secure all our sites and make it state of the art.

Thanks a lot for the hard work!

- Issue History
Date Modified Username Field Change
2009-01-03 20:22 ph3 New Issue
2009-01-04 19:35 Sourcerer Note Added: 0001265
2009-06-05 12:52 Daniel Black Project Main CAcert Website => bugs.cacert.org
2013-07-10 23:59 BenBE Relationship added related to 0001116
2014-10-04 09:53 Ruel Print File Added: rfc3330.txt
2014-10-04 09:54 Ruel Print File Added: dd.exe
2017-04-04 16:29 bjobjo Note Added: 0005543


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker