Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12783

As of 4.3, civicrm pulls in content by default from non-authenticated web site (http instead of https)

    Details

    • Type: Bug
    • Status: Done/Fixed
    • Priority: Trivial
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.3.4
    • Fix Version/s: 4.3.5
    • Component/s: Core CiviCRM
    • Labels:
      None

      Description

      The default URL is: http://alert.civicrm.org/alert?prot=1&ver=

      {ver}

      &uf=

      {uf}

      &sid=

      {sid}

      &lang=

      {lang}

      &co=

      {co}

      Fortunately, the call to the web page is made by the server, not the browser, protecting it from manipulation by someone running a local router at a coffee house. However, it still seems to pose a security risk.

      Using an https site and ensuring that the call fails if the server does not have a trusted x509 certificate would be a big improvement.

        Attachments

          Activity

            People

            • Assignee:
              colemanw Coleman Watts
              Reporter:
              jamie Jamie McClelland
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: