[openstreetmap/openstreetmap-website] Use https for links in e-mail notifications (#1341)

Till Maas notifications at github.com
Thu Oct 27 15:48:46 UTC 2016

On Wed, Oct 26, 2016 at 08:38:58AM -0700, Tom Hughes wrote:
> Yes our dev servers are a case in point, but the simple answer is that we have no idea who is using the code and in what configurations.

Would you accept help to enable https for them by using letsencrypt

> I also fail to see how you can MITM a link to a user from a friend
> message - it's a public link that anybody can visit! The links which
> matter are the ones that will automatically log you in, which is the
> signup confirmation and the password reset link and possibly the email
> change but I would need to check that.

AFAIU only registered users get these notifications. Therefore a MITM
attacker could include a login form in the response, keep the user on
plain http for all requests (an example attack tool is
https://moxie.org/software/sslstrip/ ) or directly read the user's
authentication cookie since it will be transmitted over plain HTTP.
Therefore if account security matters, the site should only use HTTPS.
If this is not yet possible, then it is important to make sure that
authenticated/registered users access the site only via secured HTTPS.

> I am not going to allow this PR to be used to pursue "https by
> default" by the backdoor. If you want to argue for that then it is a
> separate discussion and it's not a decision I'm going to make by
> myself as the primary maintainer of the code - it's a policy issue not
> a codign issue.

I do not want to sneak this in. Nevertheless I have the opinion that it
is the way it should be. From my point of view it is hard to understand
the criteria for which you agree that HTTPS makes sense.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20161027/50fe2c05/attachment.html>

More information about the rails-dev mailing list