search

openbmap / radiocells-scanner-android

WLAN and cell tower scanner for Radiocells.org
https://www.radiocells.org
Other
57 stars 25 forks source link

Website should use HTTPS by default #147

Closed letorbi closed 8 years ago

letorbi commented 8 years ago

Hej,

the radiocells.org websites uses HTTP by default and transfers passwords in clear text when you login through the website interface. This is a very serious sercurity hole, which should be fixed immediately!

To verify this bug, simply go to the login page (http://radiocells.org/user/login?_next=/), open the network console of your browser and log in. The POST request to http://radiocells.org/user/login?_next=/ will contain your password in its body.

This can be easily be fixed by using HTTPS by default and redirecting all HTTP requests to HTTPS. Here are some Apache configuration directives, which might be helpful:

# NOTE Redirect to HTTPS and remove www from hostname (put in HTTP host configuration)
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1$1 [L,QSA,R=301]

# NOTE Activate strict transport security (put in HTTPS host configuration)
header always set Strict-Transport-Security "max-age=63072000; preload"

If the Android app uses HTTP as well, the HTTP-to-HTTPS redirect should fix it, too. However, it might be necessary update the app to handle HTTPS...

Bai Torben

agilob commented 8 years ago

Everything in HTTP is sent in plaintext.

letorbi commented 8 years ago

@agilob Yes, and that's a problem. HTTPS fixes this and several other issues and should therefore be used as default.

agilob commented 8 years ago

Anyway, duplicate of #129

letorbi commented 8 years ago

Both issues are related, but as far as I can see #129 refers to the Android app only. This one is about the website not using HTTPS by default. I have changed the issue title to reflect this.

wish7code commented 8 years ago

@letorbi Thanks for the reminder! We had this because our Let's encrypt certificates weren't compatible with older mobile devices. This has been fixed in the meantime, so https redirect shouldn't be a problem anymore..

wish7code commented 8 years ago

Done, please test (and feel free to reopen on any issues)

agilob commented 8 years ago

Logo "openbmap" still leads to http link, when clicked redirects to https, redirect is very slow.

letorbi commented 8 years ago

Thx for the fast fix.

I have no speed problems with the HTTP->HTTPS redirects, but can confirm that the logo link still uses HTTP. Apart from that also the "new server" link from the old site (http://openbmap.org) still points to http://radiocells.org/.