[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Forum confirmation email contains non-TLS link


#1

When signing up for an account on the Whonix forum, the confirmation email includes a link to activate the account. That link uses the “http” URL scheme; i.e. it’s not using TLS.

Can this be fixed?


HS logins no longer work
#2

Good day,

Isn’t necessary, as any http based access automatically gets forwarded to the https version.

Have a nice day,

Ego


#3

Forwarded by what, exactly? Is your response an official response from the Whonix project?


#4

whonix.org uses HSTS preloading, but not all browsers support it. ( https://github.com/Whonix/Whonix/issues/34 )

Any server side http -> https redirection is vulnerable to sslstrip and thereby mitm.

The Whonix forum software is not developed by the Whonix team but a Libre Sotware project https://www.discourse.org/. Can you please make this a generic bug report against discourse?


#5

Good day,

Enabling “force https” in the settings should, as far as I can tell also force the confirmation URL to contain https. Shall I turn it on and test it?

Have a nice day,

Ego


#6

Good find. Please try but please also use the same “security” concept of being able to undo this action as described here:

https://www.whonix.org/wiki/Dev/CSS


#7

Good day,

Done and works:

Welcome to Whonix Forum!

Click the following link to confirm and activate your new account:
https://forums.whonix.org/users/activate-account/[randomcodegeneratedbydiscourse]

If the above link is not clickable, try copying and pasting it into the address bar of your web browser

Have a nice day,

Ego


#8

Glad you sorted that out so quickly! :slight_smile: