I’ve noticed that I am able to access this website over HTTP and, surprisingly, remain logged in! This means that I’ve sent my authentication token in plain text over the open internet. We should make the website unavailable over HTTP, or at least set the “Secure” flag for the authentication cookie. In the meantime, enabling HSTS will ensure I don’t accidentally visit the website using HTTP ever again.
Also, use over HTTP will cause OAuth2 with GitHub to fail because the redirect URL is https, which prevents people from signing up with GitHub.
1 Like
Secure flag and a forced redirect + HSTS?
I’ve emailed Discourse to look into this.
1 Like
Another data point: My “Confirm your new account” email provided a link with, sensibly, a url containing unguessable noise for authorization. However, that same url also began with “http://es.discourse.group/u/activate-account/”. Since this one is a use-once secret, it isn’t actually so harmful that it is sent in plaintext. But treating a secret-holding url this way makes me worry about sloppy security practices in general.
Seems like this has been fixed now 
Oh yeah totally flaked on updating y’all today. Thanks Discourse staff for your help!
For what it's worth, your "[TC39] Confirm your new account" email landed in my Junk email (outlook.com). I include the pertinent part of the email headers if it helps at all. I've marked it as Not Junk to fix my own situation but others of course might be affected.
Since you don't really control the domain name you'd probably have to forward this to Discourse perhaps.
Received: from DB3EUR04HT003.eop-eur04.prod.protection.outlook.com
(2603:10b6:a03:54::46) by BYAPR16MB2725.namprd16.prod.outlook.com with HTTPS
via BYAPR02CA0069.NAMPRD02.PROD.OUTLOOK.COM; Thu, 4 Apr 2019 21:21:29 +0000
Received: from DB3EUR04FT063.eop-eur04.prod.protection.outlook.com
(10.152.24.54) by DB3EUR04HT003.eop-eur04.prod.protection.outlook.com
(10.152.25.42) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Thu, 4 Apr
2019 21:21:29 +0000
Authentication-Results: spf=pass (sender IP is 173.201.192.35)
smtp.mailfrom=bounce.secureserver.net; outlook.com; dkim=pass (signature was
verified) header.d=discoursemail.com;outlook.com; dmarc=pass action=none
header.from=discoursemail.com;
Received-SPF: Pass (protection.outlook.com: domain of bounce.secureserver.net
designates 173.201.192.35 as permitted sender)
receiver=protection.outlook.com; client-ip=173.201.192.35;
helo=p3plsmtp11-02-25.prod.phx3.secureserver.net;
Received: from p3plsmtp11-02-25.prod.phx3.secureserver.net (173.201.192.35) by
DB3EUR04FT063.mail.protection.outlook.com (10.152.24.154) with Microsoft SMTP
Server id 15.20.1750.16 via Frontend Transport; Thu, 4 Apr 2019 21:21:28
+0000
X-IncomingTopHeaderMarker: OriginalChecksum:060AF59054F734A0117F38962D4E989750AA9C7F7AB9893AD8F4FB41A22458FB;UpperCasedChecksum:A7BB2F3BAB20F505EDB760D86051F7391F7D97E14E59FFBF3B1C99CD41C448D6;SizeAsReceived:2335;Count:19
Received: (qmail 1769 invoked from network); 4 Apr 2019 21:21:28 -0000
Delivered-To: support@outsourced.guru
Received: (qmail 1767 invoked by uid 30297); 4 Apr 2019 21:21:28 -0000
Received: from unknown (HELO p3plibsmtp03-08.prod.phx3.secureserver.net) ([68.178.213.116])
(envelope-sender <es+verp-b5514e4d0a9f660efbc44c804142a4f5@discoursemail.com>)
by p3plsmtp11-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <support@outsourced.guru>; 4 Apr 2019 21:21:28 -0000
Received: from mx-out-02a.sjc2.discourse.org ([216.218.240.123])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
(Client did not present a certificate)
by CMGW with ESMTP
id C9nbhoPErYEgxC9nchHOQ6; Thu, 04 Apr 2019 14:21:28 -0700
Received: from localhost.localdomain (unknown [IPv6:2001:470:107:1::230:3cb7:190d])
by mx-out-02a.sjc2.discourse.org (Postfix) with ESMTP id 537B55C0199
for <support@outsourced.guru>; Thu, 4 Apr 2019 21:21:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=discoursemail.com;
s=sjc2; t=1554412887;
bh=VS7epJdOGiEY36Qx3B6DD8Rvx7plLyGOr350JRjj32c=;
h=Date:From:Reply-To:To:Subject;
b=cu9MvNdwqFZfQJmdc9FpwJvqYle/v0HosjiK/+TfM/BGCiisA/egUCgweEGn1PxMv
o6zNnbtNO+r81kjOfod77QVYWyLfGdHRIdW7iw+25RfpzflhRAwT+2oqy8uge3uc+2
Lsq+gj298ECykWkj48Wt6y0XrshhBqERjKQs998elZxpAEg15CZYXvWK3mNPn8RzdN
hiCmUjvgKoIYM+Cg/Af3vnjTGsAGyUpyYB7Qsmof5i2MM5pqahXYcG9FhutfNb/4D2
ZWJrwW8WKUInE+3N6sRJCXeh6eKyAYOl2Mmr17iibO/ugpddg+ivnC5c2FjHGqRKk1
ulR8AVpjA5mpw==
Date: Thu, 04 Apr 2019 21:21:27 +0000
From: TC39 <es@discoursemail.com>
Reply-To: TC39 <es@discoursemail.com>
To: support@outsourced.guru
Message-ID: <0bfd9c64-7a67-43ac-ac30-b44b3da2a1af@es.discourse.group>
Subject: [TC39] Confirm your new account
Content-Type: multipart/alternative;
boundary="--==_mimepart_5ca6755750448_1f913feb6e2120c02093e7";
charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-CMAE-Envelope: MS4wfHjHu5NoMjozvJyTIkUqjL8HQN9Wq2IrP31r4TPbxg46QASb/z/nulF+DxGO9wltkvBdP+LYpe5Biu3sxLfjS9SKKK3bYK605jRLhelqXaLPkZD5/9SV
Jx4QqnaMJVEoFd4ArJJAQbWRk8HQ0iH33IXyYq4IEAjsVdyfAKfRoU+QAkIgEuqYSJ7+VYh2V/xifWpL52eZgsMT4XOpWJK/WtS4AvSWq1KZpLQMqvzs1uVl
FiPNyJHF5xDcmzyNiYKhXA==
X-IncomingHeaderCount: 19
Return-Path:
SRS0=UZVB=SG=discoursemail.com=es+verp-b5514e4d0a9f660efbc44c804142a4f5@bounce.secureserver.net
X-MS-Exchange-Organization-ExpirationStartTime: 04 Apr 2019 21:21:29.1210
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: EFV:NLI;
X-MS-Exchange-Organization-AuthSource:
DB3EUR04FT063.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-UserLastLogonTime: 4/4/2019 9:00:00 PM
X-MS-Office365-Filtering-Correlation-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
X-Microsoft-Antispam:
BCL:3;PCL:0;RULEID:(2390118)(5000111)(711020)(4605104)(610169)(651021)(8291501072);SRVR:DB3EUR04HT003;
X-MS-TrafficTypeDiagnostic: DB3EUR04HT003:
X-MS-Exchange-PUrlCount: 1
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 173.201.192.35
X-SID-PRA: ES@DISCOURSEMAIL.COM
X-SID-Result: PASS
X-MS-Exchange-Organization-PCL: 2
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2019 21:21:28.7007
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 00c35e23-55ee-44e3-cc0c-08d6b943809c
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3EUR04HT003
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1606984
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1771.000
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;
X-Message-Info:
qoGN4b5S4yoRnJikr0PaEWFMIUSL1q0OERPPZbR/nbrgETfLD7CmaJiWHy4ec71vjJ5Y09GGWq1Nr5dyAeKhJNbCeHdXLnufmLZROzOsVQYUif7AZmXHyfIXucuE2RxRiT+lcQfqJUpaQ1ERDh+iBSo+opko95/1f30NKEC1vbOXhlk3TrJNIR8822AVuJR4mAG6kSX8F7QY1jnDvo3rAw==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Microsoft-Antispam-Message-Info:
xyotK3fzPLL3s7g/9rlCkCZQAutoofJCURYfvYCnMvjDvG4UTSOQfZo8JtW9Iyzor3TEG2lksgbfG+A9MrOklijLRHWs0VzuucmEb9lVlxoI2817PqfsC3rV9x+DTB7JvK/3Ib33qmRLy/9kye0BRG6kzVxFHJI/leVwrPbjb81nunn4t0h7slvgdnbIRTPlve8IMZVGwRYC+T3Fp3BYedgLc3ds7N7G2ww1xmwvtSV4D6uptcamwTAVsJGo2lqKDf0THpw3uLTWFt9g1asKIFdQvbyxOzk3VI3Kt/Lgx7lQI+h1pmBPeMDSJcMQn3QgNqgiwC/e2UGSc8BRXN88PCQUYsWaK7yI5jgn0l7MauCsUTD8EZ58RFjxD22DARjeD19S+kwpU39U/RFKsFvcquQ4c052I3RqVVeW64m92HwUvOYD6zt/XGoFHCavv4913YkiydsqicYgUs7gdG2KV5JaU9EkhjOpGdhfSEqJ0XvLwQ2lHTPccudPIC/9FSa0nWx+7WrZku+SgvhSx0EKsYyvQNk/lpTxcMy8wS+gM934EW4tFCCy2h5QxG6ff7Dp+4rBvXuaCcm0L2Hzi/YSg1APBTr2jPUJIZy4QQwXRThKyfTeWV6RiCEjwVd+0JsoeACeLE4IspWO7iMZK9WOq64I1bpdIC09Bp/Wwo8Dd/P+mByiLIUmzU7QUbThvMO8hpRPiaDQTcsk4G/lBKvGdgqKAVOxunBSirWXgbWZR/L90S3bHDJ7JDFtsg6QWdNTAX9oM21bjb8Y0jvnF2xxSRB0dMeZ8PFEUb1LT+iALKc=
MIME-Version: 1.0
tyvm @OutsourcedGuru, I've set a link to your post w/raw headers to Discourse. I do not envy the people responsible for email deliverability, i remember that stuff being haaaaard back when i worked on it 
They should know this by now. Every time they add another hostname to their domains they need to update their SPF records.