Force HTTPS usage

I’ve noticed that I am able to access this website over HTTP and, surprisingly, remain logged in! This means that I’ve sent my authentication token in plain text over the open internet. We should make the website unavailable over HTTP, or at least set the “Secure” flag for the authentication cookie. In the meantime, enabling HSTS will ensure I don’t accidentally visit the website using HTTP ever again.

Also, use over HTTP will cause OAuth2 with GitHub to fail because the redirect URL is https, which prevents people from signing up with GitHub.

1 Like

Secure flag and a forced redirect + HSTS?

I’ve emailed Discourse to look into this.

1 Like

Another data point: My “Confirm your new account” email provided a link with, sensibly, a url containing unguessable noise for authorization. However, that same url also began with “http://es.discourse.group/u/activate-account/”. Since this one is a use-once secret, it isn’t actually so harmful that it is sent in plaintext. But treating a secret-holding url this way makes me worry about sloppy security practices in general.

Seems like this has been fixed now :tada:

Oh yeah totally flaked on updating y’all today. Thanks Discourse staff for your help!

For what it's worth, your "[TC39] Confirm your new account" email landed in my Junk email (outlook.com). I include the pertinent part of the email headers if it helps at all. I've marked it as Not Junk to fix my own situation but others of course might be affected.

Since you don't really control the domain name you'd probably have to forward this to Discourse perhaps.

Received: from DB3EUR04HT003.eop-eur04.prod.protection.outlook.com
 (2603:10b6:a03:54::46) by BYAPR16MB2725.namprd16.prod.outlook.com with HTTPS
 via BYAPR02CA0069.NAMPRD02.PROD.OUTLOOK.COM; Thu, 4 Apr 2019 21:21:29 +0000
 Received: from DB3EUR04FT063.eop-eur04.prod.protection.outlook.com
 (10.152.24.54) by DB3EUR04HT003.eop-eur04.prod.protection.outlook.com
 (10.152.25.42) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Thu, 4 Apr
 2019 21:21:29 +0000
 Authentication-Results: spf=pass (sender IP is 173.201.192.35)
 smtp.mailfrom=bounce.secureserver.net; outlook.com; dkim=pass (signature was
 verified) header.d=discoursemail.com;outlook.com; dmarc=pass action=none
 header.from=discoursemail.com;
 Received-SPF: Pass (protection.outlook.com: domain of bounce.secureserver.net
 designates 173.201.192.35 as permitted sender)
 receiver=protection.outlook.com; client-ip=173.201.192.35;
 helo=p3plsmtp11-02-25.prod.phx3.secureserver.net;
 Received: from p3plsmtp11-02-25.prod.phx3.secureserver.net (173.201.192.35) by
 DB3EUR04FT063.mail.protection.outlook.com (10.152.24.154) with Microsoft SMTP
 Server id 15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 21:21:28
 +0000
 X-IncomingTopHeaderMarker: OriginalChecksum:060AF59054F734A0117F38962D4E989750AA9C7F7AB9893AD8F4FB41A22458FB;UpperCasedChecksum:A7BB2F3BAB20F505EDB760D86051F7391F7D97E14E59FFBF3B1C99CD41C448D6;SizeAsReceived:2335;Count:19
 Received: (qmail 1769 invoked from network); 4 Apr 2019 21:21:28 -0000
 Delivered-To: support@outsourced.guru
 Received: (qmail 1767 invoked by uid 30297); 4 Apr 2019 21:21:28 -0000
 Received: from unknown (HELO p3plibsmtp03-08.prod.phx3.secureserver.net) ([68.178.213.116])
 (envelope-sender <es+verp-b5514e4d0a9f660efbc44c804142a4f5@discoursemail.com>)
 by p3plsmtp11-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
 for <support@outsourced.guru>; 4 Apr 2019 21:21:28 -0000
 Received: from mx-out-02a.sjc2.discourse.org ([216.218.240.123])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
 (Client did not present a certificate)
 by CMGW with ESMTP
 id C9nbhoPErYEgxC9nchHOQ6; Thu, 04 Apr 2019 14:21:28 -0700
 Received: from localhost.localdomain (unknown [IPv6:2001:470:107:1::230:3cb7:190d])
 by mx-out-02a.sjc2.discourse.org (Postfix) with ESMTP id 537B55C0199
 for <support@outsourced.guru>; Thu, 4 Apr 2019 21:21:27 +0000 (UTC)
 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=discoursemail.com;
 s=sjc2; t=1554412887;
 bh=VS7epJdOGiEY36Qx3B6DD8Rvx7plLyGOr350JRjj32c=;
 h=Date:From:Reply-To:To:Subject;
 b=cu9MvNdwqFZfQJmdc9FpwJvqYle/v0HosjiK/+TfM/BGCiisA/egUCgweEGn1PxMv
 o6zNnbtNO+r81kjOfod77QVYWyLfGdHRIdW7iw+25RfpzflhRAwT+2oqy8uge3uc+2
 Lsq+gj298ECykWkj48Wt6y0XrshhBqERjKQs998elZxpAEg15CZYXvWK3mNPn8RzdN
 hiCmUjvgKoIYM+Cg/Af3vnjTGsAGyUpyYB7Qsmof5i2MM5pqahXYcG9FhutfNb/4D2
 ZWJrwW8WKUInE+3N6sRJCXeh6eKyAYOl2Mmr17iibO/ugpddg+ivnC5c2FjHGqRKk1
 ulR8AVpjA5mpw==
 Date: Thu, 04 Apr 2019 21:21:27 +0000
 From: TC39 <es@discoursemail.com>
 Reply-To: TC39 <es@discoursemail.com>
 To: support@outsourced.guru
 Message-ID: <0bfd9c64-7a67-43ac-ac30-b44b3da2a1af@es.discourse.group>
 Subject: [TC39] Confirm your new account
 Content-Type: multipart/alternative;
 boundary="--==_mimepart_5ca6755750448_1f913feb6e2120c02093e7";
 charset="UTF-8"
 Content-Transfer-Encoding: 7bit
 X-Auto-Response-Suppress: All
 Auto-Submitted: auto-generated
 X-CMAE-Envelope: MS4wfHjHu5NoMjozvJyTIkUqjL8HQN9Wq2IrP31r4TPbxg46QASb/z/nulF+DxGO9wltkvBdP+LYpe5Biu3sxLfjS9SKKK3bYK605jRLhelqXaLPkZD5/9SV
 Jx4QqnaMJVEoFd4ArJJAQbWRk8HQ0iH33IXyYq4IEAjsVdyfAKfRoU+QAkIgEuqYSJ7+VYh2V/xifWpL52eZgsMT4XOpWJK/WtS4AvSWq1KZpLQMqvzs1uVl
 FiPNyJHF5xDcmzyNiYKhXA==
 X-IncomingHeaderCount: 19
 Return-Path:
 SRS0=UZVB=SG=discoursemail.com=es+verp-b5514e4d0a9f660efbc44c804142a4f5@bounce.secureserver.net
 X-MS-Exchange-Organization-ExpirationStartTime: 04 Apr 2019 21:21:29.1210
 (UTC)
 X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
 X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
 X-MS-Exchange-Organization-Network-Message-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
 X-EOPAttributedMessage: 0
 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
 X-MS-Exchange-Organization-MessageDirectionality: Incoming
 X-Forefront-Antispam-Report: EFV:NLI;
 X-MS-Exchange-Organization-AuthSource:
 DB3EUR04FT063.eop-eur04.prod.protection.outlook.com
 X-MS-Exchange-Organization-AuthAs: Anonymous
 X-MS-PublicTrafficType: Email
 X-MS-UserLastLogonTime: 4/4/2019 9:00:00 PM
 X-MS-Office365-Filtering-Correlation-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
 X-Microsoft-Antispam:
 BCL:3;PCL:0;RULEID:(2390118)(5000111)(711020)(4605104)(610169)(651021)(8291501072);SRVR:DB3EUR04HT003;
 X-MS-TrafficTypeDiagnostic: DB3EUR04HT003:
 X-MS-Exchange-PUrlCount: 1
 X-MS-Exchange-EOPDirect: true
 X-Sender-IP: 173.201.192.35
 X-SID-PRA: ES@DISCOURSEMAIL.COM
 X-SID-Result: PASS
 X-MS-Exchange-Organization-PCL: 2
 X-OriginatorOrg: outlook.com
 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2019 21:21:28.7007
 (UTC)
 X-MS-Exchange-CrossTenant-Network-Message-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
 X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
 X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
 00000000-0000-0000-0000-000000000000
 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3EUR04HT003
 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1606984
 X-MS-Exchange-Processed-By-BccFoldering: 15.20.1771.000
 X-Microsoft-Antispam-Mailbox-Delivery:
 abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;
 X-Message-Info:
 qoGN4b5S4yoRnJikr0PaEWFMIUSL1q0OERPPZbR/nbrgETfLD7CmaJiWHy4ec71vjJ5Y09GGWq1Nr5dyAeKhJNbCeHdXLnufmLZROzOsVQYUif7AZmXHyfIXucuE2RxRiT+lcQfqJUpaQ1ERDh+iBSo+opko95/1f30NKEC1vbOXhlk3TrJNIR8822AVuJR4mAG6kSX8F7QY1jnDvo3rAw==
 X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
 X-Microsoft-Antispam-Message-Info:
 xyotK3fzPLL3s7g/9rlCkCZQAutoofJCURYfvYCnMvjDvG4UTSOQfZo8JtW9Iyzor3TEG2lksgbfG+A9MrOklijLRHWs0VzuucmEb9lVlxoI2817PqfsC3rV9x+DTB7JvK/3Ib33qmRLy/9kye0BRG6kzVxFHJI/leVwrPbjb81nunn4t0h7slvgdnbIRTPlve8IMZVGwRYC+T3Fp3BYedgLc3ds7N7G2ww1xmwvtSV4D6uptcamwTAVsJGo2lqKDf0THpw3uLTWFt9g1asKIFdQvbyxOzk3VI3Kt/Lgx7lQI+h1pmBPeMDSJcMQn3QgNqgiwC/e2UGSc8BRXN88PCQUYsWaK7yI5jgn0l7MauCsUTD8EZ58RFjxD22DARjeD19S+kwpU39U/RFKsFvcquQ4c052I3RqVVeW64m92HwUvOYD6zt/XGoFHCavv4913YkiydsqicYgUs7gdG2KV5JaU9EkhjOpGdhfSEqJ0XvLwQ2lHTPccudPIC/9FSa0nWx+7WrZku+SgvhSx0EKsYyvQNk/lpTxcMy8wS+gM934EW4tFCCy2h5QxG6ff7Dp+4rBvXuaCcm0L2Hzi/YSg1APBTr2jPUJIZy4QQwXRThKyfTeWV6RiCEjwVd+0JsoeACeLE4IspWO7iMZK9WOq64I1bpdIC09Bp/Wwo8Dd/P+mByiLIUmzU7QUbThvMO8hpRPiaDQTcsk4G/lBKvGdgqKAVOxunBSirWXgbWZR/L90S3bHDJ7JDFtsg6QWdNTAX9oM21bjb8Y0jvnF2xxSRB0dMeZ8PFEUb1LT+iALKc=
 MIME-Version: 1.0

tyvm @OutsourcedGuru, I've set a link to your post w/raw headers to Discourse. I do not envy the people responsible for email deliverability, i remember that stuff being haaaaard back when i worked on it :grimacing:

They should know this by now. Every time they add another hostname to their domains they need to update their SPF records.