Suggestions: Require HTTPS connections
log in

Advanced search

Message boards : Web site : Suggestions: Require HTTPS connections

Author Message
Hello World
Send message
Joined: 19 Nov 14
Posts: 1
Credit: 301,410
RAC: 0
Message 20068 - Posted: 24 Nov 2014, 4:32:26 UTC
Last modified: 24 Nov 2014, 4:47:40 UTC

Currently only the login page is protected by HTTPS. I hope HTTPS is always enforced, so that the cookies can be marked as Secure. If users are redirected to HTTP after login, the cookies can be hijacked by man-in-the-middle who can use the cookies to log in others' accounts.

Also the home page (https://boinc.thesonntags.com/collatz/index.php) contains mixed content. Some images are loaded over HTTP rather than HTTPS, such as http://boinc.thesonntags.com/collatz/user_profile/images/10137_sm.jpg. I suggest to change them to relative links.

Hope you can consider the two suggestions. Thanks!

Edit 1: If possible, could you please also disable SSL 3.0 to mitigate POODLE attacks?

Customminer
Send message
Joined: 6 Apr 14
Posts: 1
Credit: 5,232,952
RAC: 0
Message 22305 - Posted: 27 Apr 2016, 21:27:08 UTC

Hijacking this dead thread.

Ssllabs has given collatz an 'F' ranking: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.thesonntags.com

The website is vulnerable to both the poodle attack and the OpenSSL CCS vulnerability (CVE-2014-0224).

Any chance this could be addressed in the future?

Thanks :)

Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 2
Message 22460 - Posted: 27 May 2016, 3:56:22 UTC - in response to Message 22305.

Hijacking this dead thread.

Ssllabs has given collatz an 'F' ranking: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.thesonntags.com

The website is vulnerable to both the poodle attack and the OpenSSL CCS vulnerability (CVE-2014-0224).

Any chance this could be addressed in the future?

Thanks :)


Fixed, or at least better. It gets a 'B' now.


Post to thread

Message boards : Web site : Suggestions: Require HTTPS connections


Main page · Your account · Message boards


Copyright © 2018 Jon Sonntag; All rights reserved.