Jump to content

HTTPs for SpamCop sign in


mschmitt

Recommended Posts

Currently the http://www.spamcop.net/ site does not use https. This means that if you login to SpamCop from the login form (http://www.spamcop.net/mcgi?action=loginform), the no-cookie alternate login (e.g.http://mailsc.spamcop.net/) or using the login button on any page, your userid and password are passed in the clear.

This in itself is a security exposure, but it is much worse if you have an email account, because then your SpamCop.net login is your email account userid and password. So even if you are careful to always change the webmail login to https, and to use SSL from other mail clients, you're still giving up the email credentials anytime you login to the SpamCop site (such as for reporting via the Held Mail interface).

Note that the site also needs to use HTTPS when it passes the cookies, or some other means of spoiling session cookie replay attacks.

I tried changing to https://www.spamcop.net. It does present a certificate but it is invalid, and if you accept it it then says the service is down.

This needs to be fixed!

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 months later...

I've seen this mentioned in recent discussions, but the only one I can find using the Search function is http://forum.spamcop.net/forums/index.php?showtopic=13779. This mentions it as a paid account issue, but actually it's a serious issue for anyone with a SpamCop e-mail account reporting spam via the webpage login.

The url https://spamcop.net gives you a certificate error. If you proceed, you are redirected to http://www.spamcop.net, and if you log in there, which you have to do with your full private spamcop e-mail address and password, your mail address and password are sent in clear text.

I only use iexplore.exe. If anyone has different findings with another browser, I'd love to hear.

I have security issues at the moment which I am trying to counter by among other things, not sending anything in clear text. Unsurprisingly, these security issues include parsing spam, targeted phishing attempts in this case. I need not to send stuff in clear text as it may be getting "harvested".

Could SpamCop staff please do something about the fact that https://spamcop.net is not functioning and get it back up and running, for all our sakes and security?

Or is there a new https url for reporting which I've altogether missed?

Thanks.

Link to comment
Share on other sites

I suspect that many of us will consider that unacceptable in this day and age. HTTPS is essential to best security practices.

The only sure-fire method I know of for ensuring security of any particular machine is to disconnect it completely from the outside world. Sadly this probably would probably hinder our reporting efforts more than helping them. :)

Link to comment
Share on other sites

....

The url https://spamcop.net gives you a certificate error.

...

This is because the certificate was signed for a different host. Firefox shows the following:

spamcop.net uses an invalid security certificate.

The certificate is only valid for the following names:

*.akamaihd.net , *.akamaihd-staging.net , a248.e.akamai.net

(Error code: ssl_error_bad_cert_domain)

You may need to to download and accept the certificate if you really want to use the HTTPS. For me, I have not had any issue using HTTP for many years now.

Link to comment
Share on other sites

  • 3 years later...

Please add HSTS to the spamcop.net (still have wrong cert) and www.spamcop.net for more security.

Website have and some other problems, please see:

https://www.ssllabs.com/ssltest/analyze.html?d=spamcop.net&ignoreMismatch=on&latest

https://www.ssllabs.com/ssltest/analyze.html?d=www.spamcop.net&latest

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...