One of my sites (and my server) has been audited by a security company for credit card use and, having fixed most of the problems, I am still getting this issue (pasted below):
-----
Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users. Solution: Make sure that every form transmits its results over HTTPS Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /user/login Destination page : /user/login Input name : pass Page : /user Destination page : /user Input name : pass Page : /user/?D=A Destination page : /user/?D=A Input name : pass
-----
I had a few links on my top navigation to the user page (login and register) and I have changed those calls to all be HTTPS, but I am still getting the issue. Is there a way to force all calls to the user area be made with HTTPS (like a setting or something) that would cause this issue to go away?

Thanks in advance for any advice.

Comments

davedelong’s picture

http://drupal.org/project/securepages

Get great Drupal hosting at MM Hosting. (I don't work for them; I'm just a very satisfied customer)

runssl’s picture

Or edit the htaccess file.

RewriteRule ^/?(user|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Drupal SSL Certificates http://www.runssl.com

Anonymous’s picture

I'm pretty sure the "Secure Pages" contributed module will do what you need.
http://drupal.org/project/securepages

Kevin.K’s picture

I put in the ReWrite Rule, but that did not solve my problem. I will now try the SecurePages module, as also recommended.

jyamada’s picture

Hi Kevin, did you find a solution to your problem? I'm having the same problem as most of the submits are using http, tried securepages, didn't work, just duplicated my htaccess logic and made things slower.

Anonymous’s picture

You need to configure securepages to tell it which pages to encrypt with SSL.

It is pretty easy, this is a good tutorial showing how to do what you want.

http://zugec.com/drupal/secure-your-site

jyamada’s picture

Just an update. I discovered my problem with plain text posts was related to the domain access module, i'm using mod_rewrite instead of secure pages. There are plenty of apache tutorials for mod_rewrite, but thanks for the tip!!

ronnienorwood’s picture

For future reference, the message above is triggered when a user login block is on a page that is unsecured, in our case the home page. The secure pages hijack prevention module (which appears to have been created after this thread was last updated) was designed to handle the block. After installing it, we no longer received that message on our security metrics scan.