Immediate redirect of newsblur http homepage to https homepage

This is security issue.

Description:

Given that I enter http://newsblur.com
Then I stay on http://newsblur.com

What should be done:

Configure your http server to do autoredirect to https.

Issue:

Today I successfully logged in over http so my username and password were sent to your server in plain text.

 
 

2 Likes

We just spoke on Twitter and as I mentioned this is intentional. If you want to stay on https, make sure you go to https://www.newsblur.com. Many NewsBlur users cannot use https because their browsers prevent http images from https.

Ok, I understand that. I attached http interaction when I use https login.
Issue is that server, after successful login, redirects user to http://newsblur.com (Location header).
And it seems that I am not logged in. But when I enter https://newsblur.com, than I am at my home page. Redirect (Location header) should be to https://newsblur.com.

Hey, where’s my Simpsons quote?

This is not appropriate answer. You just lost one customer with influence and that will write blog post about this.

@Sam: +1 to “this feels like the wrong compromise” – ‘mostly-https with mixed-content warnings’ is much better overall than having a class of user be all-http-all-the-time.

If you care strongly about the mixed-content warnings, it should be possible to intercept image links in posts & trial-and-error upgrade them to use https, building a cache of domains where this is possible.

I was just caught of guard on a mobile device and hotel wifi entering my password over an unencrypted connection. It was my expectation that any site which requires a login would autoredirect to a secure connection. Not sure if this issue is already closed, or if there is a more active one somewhere.

The login form and POST should at least be served over https even if newsblur itself must run in HTTP for people with mixed-content problems.

1 Like