Issue Tracker https problem

I can not open in Firefox. It’s not possible to bypass it, and it’s not possible to use http (it always redirects to the https version).

Internet Explorer shows this error page when I bypass the warning:

IE does not always redirect to https, so it’s possible to use http. But Firefox does.

I had that with Chrome, it was a cached redirect from http -> https. Clearing cache worked for me

@boformer try just using this:

Firefox and Chrome cache HTML extremely aggresively, more so than other browsers, and this is what makes them “fast”. This behavior is special to those browsers because they cache HTTP redirects as well(no other browsers do this), even if the redirect has already been changed. Clear your cache on either and the site should work fine.

1 Like

I don’t see why a Issue tracker should be secure/encrypted. Oke you can make accounts, but what kind of hacker would take the time to hack sponge issue tracker? Just waste of time… .

Any time user information is being used, even if separate from the forums or another entity, you should practice privacy policies to the fullest extent. So lets take a look at a few excerpts from Sponge’s Privacy Policy:

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information.

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.

We can safely conclude, from these few lines from the privacy policy, the Sponge Project is dedicated to keeping all identifiable identities protected to the fullest extent. I see no reason why they should neglect any system, no matter how distant, that is within their control.

Security is never a waste of time. Anytime you can take security measures, you should. Lets take a look at some examples why system security is worthy of time devoted to it. First lets assume that the issue tracker will use the same credentials that the forums use. Next lets assume they neglected to encrypt their responses. Lastly lets assume the person who is the victim to be using an open network (Coffee shops, Mc Donalds, etc). There happens to be a hacker inside of the same network as the victim; the victim is submitting an issue , but noticed they had to login before they did. Once they login the information is sent to the sponge servers as plain bytes that can be easily read. Now the hacker has these details: The website it was posted to, the user credentials, the user cookies (once the response is received). With all of these details the hacker can now trick the server that they are now the victim and proceed to preform malicious activities. Now for the next example, lets use that last scenario. Instead of using the information and then posting spam ads, or links, etc… the hacker now uses it to collect information about the victim. Lastly, I would like to add that you can be at your own home, on a private network that is as secure and you can possibly make it, but if the web server is submitting un-encrypted data then any one at the end point (IE: at the data center in which it is hosted) can monitor all traffic and store the information.

Now those probably were not the best examples, but they convey the message that security is a necessity anytime you submit any type of data. For normal users, it seems like a waste of time, but in the end they are just protecting the community from phishers, and identity theft (Posing as your account) among a variety of other things.

Read the above. Also keep in mind that Sponge is shooting to be another major server provider1 comparable to Bukkit. What I mean by that is Sponge may come to partner with a third party to host plugins (like Curse2), which then opens the doors to hackers to have the potential to gained access not to just one site (Sponge) but now that third party (IE Curse).

Anyhow, sorry for the wall of text. If you didn’t read it all, just note that security should be a priority no matter what.

Things I recommend reading:

[1] - Don’t really know what to call Bukkit. Server platform/API maybe?
[2] - Curse is just a well known affiliate with Bukkit; in no way am I implying they are going to be affiliates with Sponge.


Interesting :smile:. But to avoid confusion, my “waste of time…” was actually meant for the hacker that would have tried it. But oke I think I got it :).

When I was writing that post I was thinking financially. As SSL certificates aren’t really euh cheap (on top of student loans and other stuff). Also when writing, I forgot how easy it is to MITMA “free”-internet wifi’s and hot-spots.

Than raises the follow question, who is paying these certificates and hosting? The sponsors? I could understand that creeperhost has some financial belongings to sponge. As nobody would sell their packages if they can not mod their servers.

1 Like

This issue has now been resolved.