Forum confirmation email contains non-TLS link


When signing up for an account on the Whonix forum, the confirmation email includes a link to activate the account. That link uses the “http” URL scheme; i.e. it’s not using TLS.

Can this be fixed?

HS logins no longer work

Good day,

Isn’t necessary, as any http based access automatically gets forwarded to the https version.

Have a nice day,



Forwarded by what, exactly? Is your response an official response from the Whonix project?


whonix.org uses HSTS preloading, but not all browsers support it. ( https://github.com/Whonix/Whonix/issues/34 )

Any server side http -> https redirection is vulnerable to sslstrip and thereby mitm.

The Whonix forum software is not developed by the Whonix team but a Libre Sotware project https://www.discourse.org/. Can you please make this a generic bug report against discourse?


Good day,

Enabling “force https” in the settings should, as far as I can tell also force the confirmation URL to contain https. Shall I turn it on and test it?

Have a nice day,



Good find. Please try but please also use the same “security” concept of being able to undo this action as described here:



Good day,

Done and works:

Welcome to Whonix Forum!

Click the following link to confirm and activate your new account:

If the above link is not clickable, try copying and pasting it into the address bar of your web browser

Have a nice day,



Glad you sorted that out so quickly! :slight_smile: