[philiptellis] /bb|[^b]{2}/
Never stop Grokking

Tuesday, January 24, 2012

HTTPS for login but HTTP for password resets

I recently tried to log in to my delicious.com account, and realised that I'd forgotten my password, so went through the reset password flow. This is what I saw...
  1. The Sign-in page is over SSL, which is good:
    delicious login over ssl
  2. The Forgot password page, where you enter your username is also over HTTPS. Not strictly required, but good all the same:
    delicious - forgot password over HTTPS
  3. This sends you an email with a link to reset your password. This page is not over HTTPS:
    delicious - reset password page -- not over HTTPS
  4. And submitting this form also goes to a page that is not over HTTPS:
    delicious -- form submit over http

Now they put the login page on HTTPS, which shows that they want to protect the user's password from sniffing, but the password reset form, which also accepts the user's password, sends the password in clear text over HTTP. This isn't good. If you're going to protect passwords via SSL, do it everywhere. FWIW, the userid (but not the username) is also sent in this form.

Additionally, the password reset page contains JavaScript from google analytics and chartbeat. As I've written before, you shouldn't trust third party scripts. While you may choose to ignore this on most pages, pages that accept the user's credentials should be considered sacred. The user assumes that anything they enter on this page is available only to your servers. By including third party JavaScript, you're breaking that trust.

I've emailed violations@delicious.com with these details, and am awaiting a response.

Update 2012-01-25 21:08 UTC: As of this time, Delicious have fixed the core issue of the password reset page being on HTTP. Kudos to the team for acting quickly. The secondary issue of third party scripts on this page still remains, but that's a policy decision for them, and not me.


Tim Bull
January 24, 2012 10:41 PM

Thanks - I've passed this to the engineers, I think we should be able to get this fixed straight away.

January 24, 2012 10:45 PM

Thanks Tim, I'll update the post at that time.

Tim Bull
January 25, 2012 4:06 PM

I've just been told it's fixed now. Thanks for reaching out to us with the issue.

Post a Comment