285163 – Mixed content (secure and insecure) on overlays.gentoo.org

Bug 285163 - Mixed content (secure and insecure) on overlays.gentoo.org

Summary: Mixed content (secure and insecure) on overlays.gentoo.org

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Overlays Project

URL:	https://overlays.gentoo.org/
Whiteboard:
Keywords:	SECURITY

Depends on:
Blocks:

Reported:	2009-09-16 07:48 UTC by Nico R.
Modified:	2012-06-27 16:04 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico R. 2009-09-16 07:48:15 UTC

overlays.gentoo.org delivers insecure content (via HTTP) when you are accessing it by HTTPS: the header of the delivered web pages includes the image from
http://overlays.gentoo.org/trac/gentoo-20060214/gentoo-overlays.png

Reproduce:
Use Firefox and go to https://overlays.gentoo.org/ with the warning for mixed content enabled.

Or use openssl s_client or curl or whatever else to retrieve https://overlays.gentoo.org/ and grep for "http://". You can see that content is included via HTTP.

*And* you can see many, many links which start with "http://overlays.gentoo.org/". While this is not an immediate problem, the links should really drop the protocol and domain parts so that users will stay on HTTPS once connected.

Workaround:
Use NoScript extension for Firefox and set it to always use HTTPS for overlays.gentoo.org. Or use a transparent proxy and filter the content.

Comment 1 Robin Johnson archtester

2009-09-16 09:31:39 UTC

jokey: your field.

Comment 2 Theo Chatzimichos (RETIRED) archtester

2012-06-27 16:04:37 UTC

the overlays.gentoo.org instance is unmaintained and I plan to replace it with redmine/chilli. Sorry but WONTFIX