Forum confirmation email contains non-TLS link

When signing up for an account on the Whonix forum, the confirmation email includes a link to activate the account. That link uses the “http” URL scheme; i.e. it’s not using TLS.

Can this be fixed?

2 Likes

Good day,

Isn’t necessary, as any http based access automatically gets forwarded to the https version.

Have a nice day,

Ego

Forwarded by what, exactly? Is your response an official response from the Whonix project?

whonix.org uses HSTS preloading, but not all browsers support it. ( https://github.com/Whonix/Whonix/issues/34 )

Any server side http → https redirection is vulnerable to sslstrip and thereby mitm.

The Whonix forum software is not developed by the Whonix team but a Libre Sotware project https://www.discourse.org/. Can you please make this a generic bug report against discourse?

Good day,

Enabling “force https” in the settings should, as far as I can tell also force the confirmation URL to contain https. Shall I turn it on and test it?

Have a nice day,

Ego

Good find. Please try but please also use the same “security” concept of being able to undo this action as described here:

Dev/CSS - Kicksecure

Good day,

Done and works:

Welcome to Whonix Forum!

Click the following link to confirm and activate your new account:
https://forums.whonix.org/users/activate-account/[randomcodegeneratedbydiscourse]

If the above link is not clickable, try copying and pasting it into the address bar of your web browser

Have a nice day,

Ego

1 Like

Glad you sorted that out so quickly! :slight_smile:

Not sure if you changed something, the confirmation email is pointing again to the HTTP version of the forum:

https://forums.whonix.org/u/activate-account/[...]

Forum admin login points out:

  • Your website is using SSL. But force_https is not yet enabled in your site settings.

Setting this setting would break Whonix onion domain.

Unless using any browsers that don’t implement HSTS preload list (why would you do that?), this doesn’t matter, since whonix.org is in HSTS preload list anyhow. All major browsers support HSTS preload for a long time.

When using a browser without HSTS preload support but at least HSTS support, it would still be using https due to the HSTS header.

Remains use case for browsers supporting neither HSTS preload nor HSTS: all non-https connections are upgraded to https anyhow. This is of course vulnerable to sslstrip attacks. There is nothing any website owner can do about it. Users interested in security should use browsers with HSTS preload support.

HSTS References: