Immediate redirect of newsblur http homepage to https homepage

This is security issue.


Given that I enter
Then I stay on

What should be done:

Configure your http server to do autoredirect to https.


Today I successfully logged in over http so my username and password were sent to your server in plain text.



We just spoke on Twitter and as I mentioned this is intentional. If you want to stay on https, make sure you go to Many NewsBlur users cannot use https because their browsers prevent http images from https.

Ok, I understand that. I attached http interaction when I use https login.
Issue is that server, after successful login, redirects user to (Location header).
And it seems that I am not logged in. But when I enter, than I am at my home page. Redirect (Location header) should be to

Hey, where’s my Simpsons quote?

This is not appropriate answer. You just lost one customer with influence and that will write blog post about this.

@Sam: +1 to “this feels like the wrong compromise” – ‘mostly-https with mixed-content warnings’ is much better overall than having a class of user be all-http-all-the-time.

If you care strongly about the mixed-content warnings, it should be possible to intercept image links in posts & trial-and-error upgrade them to use https, building a cache of domains where this is possible.

I was just caught of guard on a mobile device and hotel wifi entering my password over an unencrypted connection. It was my expectation that any site which requires a login would autoredirect to a secure connection. Not sure if this issue is already closed, or if there is a more active one somewhere.

The login form and POST should at least be served over https even if newsblur itself must run in HTTP for people with mixed-content problems.

1 Like