Opened 20 months ago

Closed 2 months ago

#5466 closed defect (fixed)

Security - wiki sign up email confirmation uses http links

Reported by: Terence Eden Owned by: Tigerfell
Priority: minor Milestone:
Component: wiki Version:
Keywords: Security, email Cc: tacsipacsi

Description

New user signs up to edit the wiki.

Confirmation email sent to their email address.

Email contains links to http://wiki.openstreetmap.org rather than the https version.

While I'm sure the website automatically redirects, a malicious MITM could redirect the user before that happens.

Hopefully a simple configuration change.

Attachments (1)

Screenshot_20170819-175941.jpg (121.6 KB) - added by Terence Eden 20 months ago.
Screenshot of the confirmation email

Download all attachments as: .zip

Change History (4)

Changed 20 months ago by Terence Eden

Screenshot of the confirmation email

comment:1 Changed 16 months ago by tacsipacsi

Cc: tacsipacsi added

The wiki does not redirect, at least not for watchlist notification emails. (Unless you check the appropriate option in your preferences, but a new user won’t have that checked.) $wgServer should be changed from http://wiki.openstreetmap.org to https://wiki.openstreetmap.org in LocalSettings.php (I hope).

comment:2 Changed 2 months ago by Tigerfell

Owner: changed from Grant Slater to Tigerfell
Status: newaccepted

Thanks for the suggestion @tacsipacsi. We did it slightly differently now. Link to the change in our GitHub? repo: https://github.com/openstreetmap/chef/pull/219.

comment:3 Changed 2 months ago by Tigerfell

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.