forums.comodo.com has not SSL forced.

Hi,
this message is to advice you the forum of comodo is also accessibile without SSL so credentals can be send on not trust https.

For reproduce open a new private browser session ( I AM with Firefox) and open forums.comodo.com you will be able to navgate and log in without SSL.
Is suggested to force SSL to have always forum under SSL.

After you log in the forums should transport into https, and i think the login stage is also encapsulated there after you hit login.

It’s true that forums.comodo.com does not use a redirect from http to https, which I agree it should use.

However, forums.comodo.com uses HSTS, which means that once you have connected securely to forums.comodo.com (that is https://forums.comodo.com), you will not be able to connect insecurely (using the same browser) to forums.comodo.com (that is http://forums.comodo.com) for the next 182,5 days. You will automatically get glorious TLS 1.2, but no version of SSL. :smiley: I hope you won’t miss the latter. :wink:

The issue related to the SSL seems now fixed.

What has been “fixed”? And did you read my previous reply?

I read but what you wrote is not valid for me as I was able to visit the forum without SSL, do log in without SSL with no errors. Now seems I AM redirected to SSL. Maybe I need test on incognito mode. Let’s see if the results is the same.

Results: NOT FIXED.

In Incognito mode you can open forum.comodo.com who redirects you to non SSL forums.comodo.com and you are able to navigate and do actions without SSL.
Also forums.comodo.com give you the possibility, in incognito, to navigate without SSL.

[attachment deleted by admin]

It is valid.

The issue you encounter is that Firefox in private mode, apparently, does not use HSTS-cookies that were stored when using Firefox in normal mode, and Firefox does not keep HSTS-cookies that were stored in a private session, when the private window is closed. If you connect to https://forums.comodo.com with Firefox in private mode, you can not connect to http://forums.comodo.com during that session, but the next time you open a private Firefox-window, you will again be able to connect insecurely to http://forums.comodo.com.

To solve that, and eliminate the first insecure connection for all users (of modern browsers), the domain should be preloaded.

And to be picky, forums.comodo.com does not use (and Firefox does not support) SSL. Only TLS. :wink:

If you like your forum or website work on this way is ok.
For me that is an issue. When I try to load a bank website or an SSL website without https in incognito mode are always redirected to the secure version :slight_smile: so “it’s all ok” if what I show to you is not an issue. You are right to think this, I think different :slight_smile:

Thanks for explain to me I think to understand but not agree in safety of this kind of install. HTTP should always redirected not only with Cookie.

I did not say (or mean to say) that it is not an issue. I’m all for enforcing HTTP over TLS everywhere, which is why I use HTTPS Everywhere. :-TU

However, I think the issue is quite limited, as HSTS is used and enforces TLS after the first secure connection. There is an issue for browsers that do not support HSTS, and for Firefox in private mode. And also for the very first connection, if it does not happen to be over TLS.

For obsolete browsers (eg. IE10 and older), a traditional 301-redirect would be the only way to ensure that TLS is always used. For modern browsers, HSTS-preload is both faster (traditional redirects are slow) and more secure (the browser will never attempt or accept to connect insecurely).