HTML version of email link not over HTTPS
dcRUSTy opened this issue · 6 comments
Describe the bug
There is button to display "HTML Version" of email. It redirects with an http:// URL and not https://
To Reproduce
Steps to reproduce the behavior:
- Send urself an email (with HTML content?)
- In bot click on "HTML Verison" button
Expected behavior
URL must begin with https://
Screenshots
@dcRUSTy I agree to this, but the http to https redirection is done at webserver layer. So even if you are see this html link, there is redirect call happening at the server layer which will move to https. You can check that out in your browser when the link is open.
I will keep this issue open till then 😄
The redirection is way too late.... the email URL/UUID.html is in plaintext visible to anyone(sniffer) on the network.
@dcRUSTy it is not the case. The domain and uri are anyway submitted in plaintext even with https. The only role of https is to prevent data not the host uri.
You can refer to this question https://stackoverflow.com/questions/8277323/what-information-is-visible-to-a-packet-sniffer-which-intercepted-a-https-packet
For example url is https://example.com/1-2-3-4.html then sniffer can only get to know example.com
if url is on http://example.com/1-2-3-4.html then sniffer can see example.com along with 1-2-3-4.html. Trust me
GET /1-2-3-4.html is also encrypted in HTTPS
In our trashemail example the 1-2-3-4.html(UUID) over http is visible on wireshark... since it is visible attacker can also access this html with URL.
Oh yes! That is the case I think, I missed in the first shot. I think it will be a quick fix. Will fix this up. Thanks for pointing this out.