Bugs item #1263239, was opened at 2005-08-18 17:25
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Daniel (doolyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: Mailman on SSL sends passwords in plain text
Initial Comment:
I have tried putting Mailman on a secure path of my
server on an https url. It seemed to work approximately
when adding the following directive in apache:
RewriteCond %{HTTPS} !=on
RewriteRule /mailman/(.*)
https://www\.mysite\.com/mailman/$1 [R]
However, I have sniffed the TCP/HTTP traffic during a list
creation and I have seen that all the form is posted IN
CLEAR. This is normal in fact as we send that to the
http link first (see Bug Request #1263219). Therefore
the whole test is sent in clear and only afterwards the
client receives back the document move to https from
apache to redirect to the proper page.
I think that this could be solved if all links of the
mailman binaries (admin, create and so forth) are taking
dynamically the link specified in the mm_cfg.py, in the
DEFAULT_URL_HOST tag.
However maybe there is another clean way of putting
that on a secure url. If so I would be interested in how to
do that because I didn't find anything about that subject
appart people doing all like I did.
Thanks,
Daniel
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103
_______________________________________________
Mailman-coders mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-coders
