Bug 53855 - Insecure login to www.redhat.com/bugzilla using Netscape on RH Linux 7.1
Insecure login to www.redhat.com/bugzilla using Netscape on RH Linux 7.1
Status: CLOSED CURRENTRELEASE
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
2.8
All Linux
medium Severity medium (vote)
: ---
: ---
Assigned To: David Lawrence
David Lawrence
http://www.redhat.com/bugzilla/login.cgi
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-09-19 19:17 EDT by Mark Harig
Modified: 2007-04-18 12:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-02 18:36:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark Harig 2001-09-19 19:17:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Description of problem:
When I attempt to login to www.redhat.com/bugzilla using Netscape 4.x on 
RH Linux 7.1, a warning is issued: "The information you submit is insecure 
and could be observed by a third party while in transit.  If you are 
submitting passwords, credit card numbers, or other information that you 
would like to keep private, it would be safer for you to cancel the 
submission."

Is it OK for RedHat's bugzilla passwords to be transmitted as clear text?


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Start Netscape in RH Linux 7.1
2. Open the web page www.redhat.com/bugzilla
3. Click on login, and enter your login ID and password.
4. Click on the 'Login' button.  The warning message is displayed.
	

Actual Results:  The warning message about the insecure transfer of a 
login ID and password is displayed.

Expected Results:  An encrypted transfer of the bugzilla user's login ID 
and password should be performed.

Additional info:
Comment 1 David Lawrence 2001-09-19 19:29:31 EDT
I need to have them remove that redirect from the main web site as it causes
confusion. But it is not necessarily a bug. If you go directly to 

http://bugzilla.redhat.com/bugzilla 

you will still get the error about passing insecure information since the
channel is not encrypted. You can connect to bugzilla securely by using the
following url instead

https://bugzilla.redhat.com/bugzilla
This should be more secure. I will speak with the web guys to make sure this is
the default or the redirect is removed altogether.
Comment 2 Kjartan Maraas 2003-04-02 17:25:42 EST
Still not using https as the default, right?
Comment 3 Mark Harig 2003-04-02 17:42:07 EST
>
> Still not using https as the default, right?
>

It appears to be using https as the default for me now when I click on the "Red 
Hat Network" link in Mozilla (after loading the redhat.com web page).

As far as I can tell, this bug has been fixed.
Comment 4 David Lawrence 2003-04-02 18:36:06 EST
Should be the default. If you find an entry point for logging in that doesnt use
https please reopen this and let me know.

Note You need to log in before you can comment on or make changes to this bug.