Linode.com Forum Forum Index Linode.com Forum
Linode Community Forums
 


Login page delivered without SSL

Click here to go to the original topic

 
       Linode.com Forum Forum Index -> Feature Request/Bug Report
Author Message
bdonlan



Joined: 22 Jan 2008
Posts: 67
Posted: Thu Jan 31, 2008 2:13 pm    Post subject: Login page delivered without SSL  
In many cases, one can be redirected to the member login page at http[s]://www.linode.com/members/index.cfm without SSL. For example, simply clicking on the 'members' tab will do this. You can also be redirected from SSL to non-SSL when your session expires.

If the login page is delivered without SSL, a man-in-the-middle attack could replace the form's target URL to one that the attacker controls, thus negating some of the benefit of the SSL in the members area beyond. While unlikely to happen on a LAN, this is very possible on public wifi hotspots and the like.

Since the member login page does work with SSL if you replace http with https, I'd suggest adding appropriate directives to redirect from http to https, should the user arrive in the login page on http. Additionally, ensure that SSL pages will never redirect to a non-SSL login page.

Although the user still has to notice the case where they enter from a non-SSL page, and the login page is made to go over non-SSL by the attacker, at the very least an alert user should be able to notice that the login page is suddenly being delivered without SSL.
Back to top  
caker



Joined: 15 Apr 2003
Posts: 2369
Location: Galloway, NJ
Posted: Thu Jan 31, 2008 2:26 pm    Post subject:  
bdonlan wrote: In many cases, one can be redirected to the member login page at http[s]://www.linode.com/members/index.cfm without SSL. For example, simply clicking on the 'members' tab will do this. You can also be redirected from SSL to non-SSL when your session expires.
How are you reproducing this? The "Members" tab is hard-coded with an https link.

UPDATE: I found it, and fixed it. Session timeouts were redirecting to http. Thanks! :)

bdonlan wrote: Since the member login page does work with SSL if you replace http with https, I'd suggest adding appropriate directives to redirect from http to https, should the user arrive in the login page on http.
Agreed. I'll make that change.

bdonlan wrote: Additionally, ensure that SSL pages will never redirect to a non-SSL login page.
Not sure I follow this one -- forums, pastebin, planet, etc, don't need to be https.

Thanks for the comments,
-Chris
Back to top  
bdonlan



Joined: 22 Jan 2008
Posts: 67
Posted: Thu Jan 31, 2008 4:21 pm    Post subject:  
[quote="caker"] bdonlan wrote:
bdonlan wrote: Additionally, ensure that SSL pages will never redirect to a non-SSL login page.
Not sure I follow this one -- forums, pastebin, planet, etc, don't need to be https.

Thanks for the comments,
-Chris
I just mean in general, don't go from https://*.linode.com/* to http://www.linode.com/members/index.cfm, but I suppose the session timeouts are what were causing that.
Back to top  
 
       Linode.com Forum Forum Index -> Feature Request/Bug Report
Page 1 of 1