Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12783

As of 4.3, civicrm pulls in content by default from non-authenticated web site (http instead of https)

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Trivial
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.3.4
          • Fix Version/s: 4.3.5
          • Component/s: Core CiviCRM
          • Labels:
            None

            Description

            The default URL is: http://alert.civicrm.org/alert?prot=1&ver=

            {ver}

            &uf=

            {uf}

            &sid=

            {sid}

            &lang=

            {lang}

            &co=

            {co}

            Fortunately, the call to the web page is made by the server, not the browser, protecting it from manipulation by someone running a local router at a coffee house. However, it still seems to pose a security risk.

            Using an https site and ensuring that the call fails if the server does not have a trusted x509 certificate would be a big improvement.

              Attachments

                Activity

                  People

                  • Assignee:
                    colemanw Coleman Watts
                    Reporter:
                    jamie Jamie McClelland
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: