27652 – Bugzilla mailer improperly using http_S_

Bug 27652 - Bugzilla mailer improperly using http_S_

Summary: Bugzilla mailer improperly using http_S_

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Bugzilla
Classification:	Community
Component:	Bugzilla General
Sub Component:
Version:	2.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	David Lawrence
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-02-14 20:14 UTC by R P Herrold
Modified:	2007-04-18 16:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-12-20 16:07:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description R P Herrold 2001-02-14 20:14:40 UTC

The mailers for Bugzilla advice of change emails are of this form:

 To: bfox, herrold, borgan
Subject: [Bug 27106] Changed - Text anaconda install loses state when
    switching through VC's

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=27106

... there is NO benefit for the the use of port 443 SSL here ... it falls
back to port 80 http, 

AND there is a COST -- LYNX-SSL (in which I view the web and read mail)
will NOT keep inter-session cookies for httpS sites ... this is a feature
so that a later hostile user has to re-auth intra-session ...

PLEASE change the mailder to the form:

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=27106

... so that I might not have to log in over and over as I read mail and
append to Bugzilla transactions ...

Comment 1 David Lawrence 2001-02-15 01:45:03 UTC

I do not understand why you say there is no advantage to using the https
connection over using no ssl connection. This disallows people from seeing your
plaintext password over the network. Are you saying when using the link in an
SSL-capable browser it is redirecting back to an regular http connection? If
that is the case then there is a bug somewhere I need to look into. If this is
not the case then I do not know what needs fixing except for the possibility of
fixing lynx-ssl. In that case I would just remove the s in https before
accessing the link in the email. I was unaware that lynx-ssl had this
disadvantage when fixing the emails with the new links. I was asked by
management to add the https as the standard link since all developers in Red Hat
primarily use ssl-capable browsers that do not have the problems with logging in
multiple times.

Comment 2 R P Herrold 2001-03-10 02:21:04 UTC

PLEASE pull the LYNX from the rawhide, which in RH now supports https, and see
how painful to EVERY TIME have to re-authenticate (since HTTPS cookies are not
retained)

Use it for a day, trying to go from reading mail in pine to viewing in lynx, and
you'll change your mind ...

Comment 3 Aleksey Nogin 2002-11-13 11:30:13 UTC

IMHO, this is a lynx problem, not a bugzilla one.

Comment 4 David Lawrence 2002-12-20 16:07:35 UTC

I have to agree, I have used lynx before and the last time I used it it still
did not support persistent cookies so I had to relogin each time I ran lynx. It
is unfortunate that each time you click on a link in an email it runs a new lynx
session which causes you to have to login. But I feel having the https in the
email far outweighs the disadvantages for people who click on it with SSL
capable browsers and forget to use https instead.

Note You need to log in before you can comment on or make changes to this bug.