Immediate redirect of newsblur http homepage to https homepage

  • 4
  • Problem
  • Updated 2 months ago
This is security issue.

Description:

Given that I enter http://newsblur.com
Then I stay on http://newsblur.com

What should be done:

Configure your http server to do autoredirect to https.

Issue:

Today I successfully logged in over http so my username and password were sent to your server in plain text.



 
 
Photo of Karlo Smid

Karlo Smid

  • 3 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 4
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6512 Posts
  • 1474 Reply Likes
We just spoke on Twitter and as I mentioned this is intentional. If you want to stay on https, make sure you go to https://www.newsblur.com. Many NewsBlur users cannot use https because their browsers prevent http images from https.
Photo of Karlo Smid

Karlo Smid

  • 3 Posts
  • 0 Reply Likes
Ok, I understand that. I attached http interaction when I use https login.
Issue is that server, after successful login, redirects user to http://newsblur.com (Location header).
And it seems that I am not logged in. But when I enter https://newsblur.com, than I am at my home page. Redirect (Location header) should be to https://newsblur.com.


Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6512 Posts
  • 1474 Reply Likes
Hey, where's my Simpsons quote?
Photo of Karlo Smid

Karlo Smid

  • 3 Posts
  • 0 Reply Likes
This is not appropriate answer. You just lost one customer with influence and that will write blog post about this.
Photo of James Broadhead

James Broadhead

  • 2 Posts
  • 0 Reply Likes
@Sam: +1 to "this feels like the wrong compromise" -- 'mostly-https with mixed-content warnings' is much better overall than having a class of user be all-http-all-the-time.

If you care strongly about the mixed-content warnings, it should be possible to intercept image links in posts & trial-and-error upgrade them to use https, building a cache of domains where this is possible.
Photo of Don Marco

Don Marco

  • 1 Post
  • 0 Reply Likes
I was just caught of guard on a mobile device and hotel wifi entering my password over an unencrypted connection. It was my expectation that any site which requires a login would autoredirect to a secure connection. Not sure if this issue is already closed, or if there is a more active one somewhere.
Photo of WIZARDISHUNGRY

WIZARDISHUNGRY

  • 4 Posts
  • 0 Reply Likes
The login form and POST should at least be served over https even if newsblur itself must run in HTTP for people with mixed-content problems.