One of my sites (and my server) has been audited by a security company for credit card use and, having fixed most of the problems, I am still getting this issue (pasted below):
-----
Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users. Solution: Make sure that every form transmits its results over HTTPS Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /user/login Destination page : /user/login Input name : pass Page : /user Destination page : /user Input name : pass Page : /user/?D=A Destination page : /user/?D=A Input name : pass
-----
I had a few links on my top navigation to the user page (login and register) and I have changed those calls to all be HTTPS, but I am still getting the issue. Is there a way to force all calls to the user area be made with HTTPS (like a setting or something) that would cause this issue to go away?
Thanks in advance for any advice.
Comments
http://drupal.org/project/sec
http://drupal.org/project/securepages
Get great Drupal hosting at MM Hosting. (I don't work for them; I'm just a very satisfied customer)
Or edit the htaccess
Or edit the htaccess file.
RewriteRule ^/?(user|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Drupal SSL Certificates http://www.runssl.com
check out the Secure Pages module
I'm pretty sure the "Secure Pages" contributed module will do what you need.
http://drupal.org/project/securepages
I put in the ReWrite Rule,
I put in the ReWrite Rule, but that did not solve my problem. I will now try the SecurePages module, as also recommended.
same problem
Hi Kevin, did you find a solution to your problem? I'm having the same problem as most of the submits are using http, tried securepages, didn't work, just duplicated my htaccess logic and made things slower.
securepages
You need to configure securepages to tell it which pages to encrypt with SSL.
It is pretty easy, this is a good tutorial showing how to do what you want.
http://zugec.com/drupal/secure-your-site
update
Just an update. I discovered my problem with plain text posts was related to the domain access module, i'm using mod_rewrite instead of secure pages. There are plenty of apache tutorials for mod_rewrite, but thanks for the tip!!
further update
For future reference, the message above is triggered when a user login block is on a page that is unsecured, in our case the home page. The secure pages hijack prevention module (which appears to have been created after this thread was last updated) was designed to handle the block. After installing it, we no longer received that message on our security metrics scan.