Closed letorbi closed 8 years ago
Everything in HTTP is sent in plaintext.
@agilob Yes, and that's a problem. HTTPS fixes this and several other issues and should therefore be used as default.
Anyway, duplicate of #129
Both issues are related, but as far as I can see #129 refers to the Android app only. This one is about the website not using HTTPS by default. I have changed the issue title to reflect this.
@letorbi Thanks for the reminder! We had this because our Let's encrypt certificates weren't compatible with older mobile devices. This has been fixed in the meantime, so https redirect shouldn't be a problem anymore..
Done, please test (and feel free to reopen on any issues)
Logo "openbmap" still leads to http link, when clicked redirects to https, redirect is very slow.
Thx for the fast fix.
I have no speed problems with the HTTP->HTTPS redirects, but can confirm that the logo link still uses HTTP. Apart from that also the "new server" link from the old site (http://openbmap.org) still points to http://radiocells.org/.
Hej,
the radiocells.org websites uses HTTP by default and transfers passwords in clear text when you login through the website interface. This is a very serious sercurity hole, which should be fixed immediately!
To verify this bug, simply go to the login page (http://radiocells.org/user/login?_next=/), open the network console of your browser and log in. The POST request to http://radiocells.org/user/login?_next=/ will contain your password in its body.
This can be easily be fixed by using HTTPS by default and redirecting all HTTP requests to HTTPS. Here are some Apache configuration directives, which might be helpful:
If the Android app uses HTTP as well, the HTTP-to-HTTPS redirect should fix it, too. However, it might be necessary update the app to handle HTTPS...
Bai Torben