[MBS-2411] Login page should be encrypted (SSL/TLS)

Type: Improvement
Resolution: Fixed
Priority: Normal
Fix Version/s: 2013-07-22
Affects Version/s: None
Component/s: Accounts, Admin
Labels:
- HTTPS

The page where a user submits their username and password should be handled through HTTPS, to reduce the chance of username and passwords being intercepted, particularly when users are logging in at public hotspots over WiFi.

Given that other sites like GMail and Facebook are now encrypting their entire traffic to overcome Firesheep (http://en.wikipedia.org/wiki/Firesheep) session cookie cloning attacks, it's seems very poor practice that passwords are being sent apparently in plain text.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

musicbrainz_password_in_transit.png
3 kB
2012-06-07 20:54

depends on

MBH-249 SSL capability

Closed

MBS-5122 Use scheme relative links to support https

Closed

has related issue

IMG-68 4 or 5 seconds latency on HTTPS-CAA image loading (instead of none)

Closed

MBS-5298 WikiDocs links are not scheme-independent

Closed

MBS-5301 gravatars do not get loaded over SSL when they should be

Closed

MBS-5347 acoustid API isn't available nor requested over https, so on https musicbrainz-server acoustids don't appear

Closed

MBS-6701 Now being shifted around from http to https

Closed

PICARD-337 Allow using encrypted connection to mb.org

Closed

MBS-5339 Cover Art should be loaded over SSL where possible

Closed

MBS-357 Don't store passwords in clear text

Closed

is a dependency of

MBS-6711 not redirected to HTTPS login page

Closed

is duplicated by

MBS-3631 Allow login vis SSL

Closed

(5 has related issue, 1 is a dependency of, 1 is duplicated by)

Kuno Woudt added a comment - 2013-06-27 07:43

Setting fix version to next release.

This has been enabled on beta.musicbrainz.org, if it doesn't cause any problems there it should be enabled on production during the release.

Kuno Woudt added a comment - 2013-06-27 07:43 Setting fix version to next release. This has been enabled on beta.musicbrainz.org, if it doesn't cause any problems there it should be enabled on production during the release.

Ian McEwen added a comment - 2013-03-10 03:55

I am also removing the fix version – this needs to go forward, but it's definitely not in the next release.

Ian McEwen added a comment - 2013-03-10 03:55 I am also removing the fix version – this needs to go forward, but it's definitely not in the next release.

Ian McEwen added a comment - 2013-03-10 03:55

I don't know why this is marked as in review, but it's not, so I'm pulling it out

Ian McEwen added a comment - 2013-03-10 03:55 I don't know why this is marked as in review, but it's not, so I'm pulling it out

Oliver Charles added a comment - 2013-02-19 08:27

This is in review, but there is no open review. Status update please!

Oliver Charles added a comment - 2013-02-19 08:27 This is in review, but there is no open review. Status update please!

Kuno Woudt added a comment - 2012-12-11 10:14

http://codereview.musicbrainz.org/r/2450/

Kuno Woudt added a comment - 2012-12-11 10:14 http://codereview.musicbrainz.org/r/2450/

Kuno Woudt added a comment - 2012-10-15 19:49

TODO on this ticket:

force SSL for login and registration.

Kuno Woudt added a comment - 2012-10-15 19:49 TODO on this ticket: force SSL for login and registration.

Ian McEwen added a comment - 2012-10-08 23:47

SSL is now available on production. There's at least one issue still, in that https://www.musicbrainz.org (in some situations) will redirect to non-SSL (http://codereview.musicbrainz.org/r/2395/) but the certificate is deployed and ready! SSL Labs test: https://www.ssllabs.com/ssltest/analyze.html?d=musicbrainz.org

Ian McEwen added a comment - 2012-10-08 23:47 SSL is now available on production. There's at least one issue still, in that https://www.musicbrainz.org (in some situations) will redirect to non-SSL ( http://codereview.musicbrainz.org/r/2395/ ) but the certificate is deployed and ready! SSL Labs test: https://www.ssllabs.com/ssltest/analyze.html?d=musicbrainz.org

Oliver Charles added a comment - 2012-10-08 10:05

The window for shipping this to beta testing has closed, so this will have to wait for the next release.

Oliver Charles added a comment - 2012-10-08 10:05 The window for shipping this to beta testing has closed, so this will have to wait for the next release.

Oliver Charles added a comment - 2012-09-24 15:35

Sadly there's a little more to do until we can ship this, so I'm pushing it to the next version.

Oliver Charles added a comment - 2012-09-24 15:35 Sadly there's a little more to do until we can ship this, so I'm pushing it to the next version.

Ian McEwen added a comment - 2012-09-12 20:54

https://www.ssllabs.com/ssltest/analyze.html?d=test.musicbrainz.org is the test page; the BEAST warning has to do with the fact we have a CBC ciphersuite listed first – and browsers have good workarounds for BEAST anyway. So, this is looking pretty good!

Ian McEwen added a comment - 2012-09-12 20:54 https://www.ssllabs.com/ssltest/analyze.html?d=test.musicbrainz.org is the test page; the BEAST warning has to do with the fact we have a CBC ciphersuite listed first – and browsers have good workarounds for BEAST anyway. So, this is looking pretty good!

Assignee:: Kuno Woudt

Reporter:: Anonymous

Votes:: 9 Vote for this issue

Watchers:: 6 Start watching this issue

Due:: 2012-09-11

Created:: 2011-05-30 11:15

Updated:: 2020-02-15 10:03

Resolved:: 2013-07-22 12:40

Version	Package
2013-07-22

Details

Description

Attachments

Attachments

Issue Links

Activity

Collapse comment: Kuno Woudt added a comment - 2013-06-27 07:43

Expand comment: Kuno Woudt added a comment - 2013-06-27 07:43

Collapse comment: Ian McEwen added a comment - 2013-03-10 03:55

Expand comment: Ian McEwen added a comment - 2013-03-10 03:55

Collapse comment: Ian McEwen added a comment - 2013-03-10 03:55

Expand comment: Ian McEwen added a comment - 2013-03-10 03:55

Collapse comment: Oliver Charles added a comment - 2013-02-19 08:27

Expand comment: Oliver Charles added a comment - 2013-02-19 08:27

Collapse comment: Kuno Woudt added a comment - 2012-12-11 10:14

Expand comment: Kuno Woudt added a comment - 2012-12-11 10:14

Collapse comment: Kuno Woudt added a comment - 2012-10-15 19:49

Expand comment: Kuno Woudt added a comment - 2012-10-15 19:49

Collapse comment: Ian McEwen added a comment - 2012-10-08 23:47

Expand comment: Ian McEwen added a comment - 2012-10-08 23:47

Collapse comment: Oliver Charles added a comment - 2012-10-08 10:05

Expand comment: Oliver Charles added a comment - 2012-10-08 10:05

Collapse comment: Oliver Charles added a comment - 2012-09-24 15:35

Expand comment: Oliver Charles added a comment - 2012-09-24 15:35

Collapse comment: Ian McEwen added a comment - 2012-09-12 20:54

Expand comment: Ian McEwen added a comment - 2012-09-12 20:54

People

Dates

Packages