Bug 442785 – Links and forms on HTTPS pages refer to HTTP pages

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 442785 - Links and forms on HTTPS pages refer to HTTP pages


Summary:	Links and forms on HTTPS pages refer to HTTP pages


Status:	RESOLVED FIXED

Product:	bugzilla.gnome.org
Classification:	Infrastructure
Component:	general
Version:	unspecified
Hardware:	Other All

Importance:	Normal major
Target Milestone:	---
Assigned To:	Bugzilla Maintainers
QA Contact:	Bugzilla Maintainers

URL:
Whiteboard:

Depends on:
Blocks:	326501

Reported:	2007-06-01 05:24 UTC by jer
Modified:	2007-08-11 20:48 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jer 2007-06-01 05:24:40 UTC

Please describe the problem:
Many pages under https://bugzilla.gnome.org/ point to pages on http://bugzilla.gnome.org/, which makes it nearly impossible to use this bugsy securely.

Steps to reproduce:
1. Load https://bugzilla.gnome.org/.
2. Log in (so far so good).
3. Enter a search term.
4. Ignore the browser warning that information is going to be sent from a secure to an insecure page (as it were).
5. See your browser ending up on http://bugzilla.gnome.org/ indeed. :)

Actual results:


Expected results:
Stay connected over HTTPS.

Does this happen every time?


Other information:

Comment 1 Sven Herzberg 2007-06-04 10:19:32 UTC

I actually don't think this is any problem.

1. As long as the certificate isn't trusted by most of the browsers out there, there's no sense in making the login form point to https://
2. Once the certificate is trusted (see dependency bug), all login forms should direct to https:// instead of http://
3. All the other forms and links don't seem relevant to me as you're entering public information anyways.

Comment 2 jer 2007-06-04 16:31:23 UTC

(In reply to comment #1)
> I actually don't think this is any problem.
> 
> 1. As long as the certificate isn't trusted by most of the browsers out there,
> there's no sense in making the login form point to https://
> 2. Once the certificate is trusted (see dependency bug), all login forms 
> should direct to https:// instead of http://

It's not about certificates.

> 3. All the other forms and links don't seem relevant to me as you're entering
> public information anyways.

Even the seemingly secure https:// login form(s) post information to the insecure http:// so there is a clear risk of anyone between my browser and bugzilla.gnome.org sniffing out my login credentials at an early stage in any session I set up. I haven't investigated what types of information the cookies transfer over subsequent insecure requests, but the login alone is insecure. That makes any bugzilla.gnome.org user vulnerable to identity theft/abuse, and this was the original enhancement that bug #326501 requested, and is probably the reason that bug still hasn't been marked resolved.