| View previous topic :: View next topic |
| Author |
Message |
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
 Posted: Wed May 14, 2008 12:48 pm Post subject: HTTPS support for login added |
|
FYI. I have modified Bugzilla so that whenever you login, make changes to your account, or create a new account, you will go to https://bugzilla.neooffice.org/ instead of http://bugzilla.neooffice.org.
While posting to or reading bugs does not use HTTPS as those pages show public information, we felt that since user passwords are not public, we should use HTTPS to ensure that that data should always be sent over a secure, encrypted connection.
Please let me know if you see any problems with Bugzilla as a result of this change. In the meantime, I will by adding the same security features to NeoWiki login and account administration and, eventually, to Trinity.
Patrick |
|
| Back to top |
|
 |
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
| Posted: Wed May 14, 2008 3:47 pm Post subject: |
|
FYI. I realized that since I had to make some changes to the Bugzilla code to add HTTPS support, I went ahead and simplified the HTTPS support to do the following:
1. Logging into Bugzilla and viewing any page or attachment while you are logged in will be use HTTPS
2. Anonymous browsing of Bugzilla will use unsecure HTTP
3. Attachments will not be viewable unless you are logged in. Even though all documents in Bugzilla are considered public and anyone can create a Bugzilla account, many search engines have been indexing attachment files despite my efforts to tell them not to so hopefully this will eliminate that problem.
One additional thing I did today was force PayPal to send any donation notifications to our server use HTTPS. Although PayPal does not include any user account profile information other than the donor's e-mail address in these notifications, I figured it does not hurt having PayPal communicate with our servers using a secure connection.
Patrick |
|
| Back to top |
|
|
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
| Posted: Wed May 14, 2008 8:29 pm Post subject: |
|
More updates: I have enabled HTTPS for NeoWiki for the login page and all web pages while you are logged in. Please let me know if you find any problems.
Patrick |
|
| Back to top |
|
|
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
| Posted: Mon May 19, 2008 1:10 pm Post subject: |
|
FYI. I have just enabled HTTPS support for all login pages. I have also removed the login form at the bottom of the pages as I noticed that a few forum spammers are using that as a means to route around our CAPTCHA-based login.
Patrick |
|
| Back to top |
|
|
ovvldc
Captain Naiobi
Joined: Sep 13, 2004
Posts: 2352
Location: Zürich, CH
|
| Posted: Mon May 19, 2008 1:32 pm Post subject: |
|
I noticed I have to do my 'new posts since last visit' through https now as well. I had adjusted my bookmark, but no big deal otherwise.
Best wishes,
Oscar
_________________
"What do you think of Western Civilization?"
"I think it would be a good idea!"
- Mohandas Karamchand Gandhi |
|
| Back to top |
|
|
sardisson
Town Crier
Joined: Feb 01, 2004
Posts: 4588
|
| Posted: Mon May 19, 2008 1:53 pm Post subject: |
|
It's not a huge deal, but I noticed the "unlocked lock" indicating that not all of the forum page is served over https once logged in (it seems to be the JS file for the Google search field that's still being included from http).
Smokey
_________________
"[...] whether the duck drinks hot chocolate or coffee is irrelevant." -- ovvldc and sardisson in the NeoWiki |
|
| Back to top |
|
|
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
| Posted: Mon May 19, 2008 2:17 pm Post subject: |
|
| sardisson wrote: | | It's not a huge deal, but I noticed the "unlocked lock" indicating that not all of the forum page is served over https once logged in (it seems to be the JS file for the Google search field that's still being included from http). |
Yes, the occurs with Firefox-based browsers. In Bugzilla and NeoWiki, I originally hid the Google search field when logged in because of that reason.
Unfortunately, Google does not support HTTPS for its custom search field so instead of hiding it while logged in, I have hidden it only when using the login page. Having the search box on the login page isn't really necessary and by hidding it there, you don't get the unlocked lock on that page.
Patrick |
|
| Back to top |
|
|
pluby
The Architect
Joined: Jun 16, 2003
Posts: 11949
|
| Posted: Mon May 19, 2008 3:34 pm Post subject: |
|
| pluby wrote: | | Unfortunately, Google does not support HTTPS for its custom search field so instead of hiding it while logged in, I have hidden it only when using the login page. Having the search box on the login page isn't really necessary and by hidding it there, you don't get the unlocked lock on that page. |
I found that it is the Google background image in the search box that is causing the unlocked lock. I have disabled that JavaScript whenever HTTPS is used so now that search box should not cause the unlocked lock anymore.
Patrick |
|
| Back to top |
|
|
|
