The forum does not force HTTPS


#1

This forum is currently side-by-side available using HTTPS and old-school HTTP.
Some locations, (e.g. https://www.hyperledger.org/blog/2017/05/02/hyperledger-welcomes-project-indy , which was how I navigated to the Forum the first time) do not specify to use HTTPS. The forum.sovrin.org subdomain itself does not force-redirect to an HTTPS connection.

Submitting usernames, emails and passwords over an unsecure connection is a well-known security risk, so it would be greatly appreciated if you’d set up the force-redirection to use an HTTPS connection.

On a related note: Some resources, like the current Forum logo, are loaded from an HTTP location, even when using HTTPS. While not an immediate danger, this can be considered sloppy and should also be fixed.
Especially since currently cookies are also not set to be secure-only, these resources provide a means to steal (session) cookies and perform replay-attacks that way.

Thanks :slight_smile:


#2

Thanks for pointing that out! After some searching, we believe we’ve discovered the source of the issue and should have it resolved shortly.


#3

Wonderful! Thank you for your swift response. :+1:


#4

The issue has been resolved!