New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML version of email link not over HTTPS #58
Comments
@dcRUSTy I agree to this, but the I will keep this issue open till then 😄 |
@dcRUSTy it is not the case. The domain and uri are anyway submitted in plaintext even with https. The only role of https is to prevent data not the host uri. |
For example url is https://example.com/1-2-3-4.html then sniffer can only get to know example.com GET /1-2-3-4.html is also encrypted in HTTPS In our trashemail example the 1-2-3-4.html(UUID) over http is visible on wireshark... since it is visible attacker can also access this html with URL. |
Oh yes! That is the case I think, I missed in the first shot. I think it will be a quick fix. Will fix this up. Thanks for pointing this out. |
Thanks @dcRUSTy. This has been fixed and rolled to production as well. It was just a config change, so no code change is there to point to any commit. Check that out, I am closing this for now. |
Describe the bug
There is button to display "HTML Version" of email. It redirects with an http:// URL and not https://
To Reproduce
Steps to reproduce the behavior:
Expected behavior
URL must begin with https://
Screenshots
The text was updated successfully, but these errors were encountered: