In many cases, one can be redirected to the member login page at http[s]://www.linode.com/members/index.cfm without SSL. For example, simply clicking on the 'members' tab will do this. You can also be redirected from SSL to non-SSL when your session expires.

If the login page is delivered without SSL, a man-in-the-middle attack could replace the form's target URL to one that the attacker controls, thus negating some of the benefit of the SSL in the members area beyond. While unlikely to happen on a LAN, this is very possible on public wifi hotspots and the like.

Since the member login page does work with SSL if you replace http with https, I'd suggest adding appropriate directives to redirect from http to https, should the user arrive in the login page on http. Additionally, ensure that SSL pages will never redirect to a non-SSL login page.

Although the user still has to notice the case where they enter from a non-SSL page, and the login page is made to go over non-SSL by the attacker, at the very least an alert user should be able to notice that the login page is suddenly being delivered without SSL.

How are you reproducing this? The "Members" tab is hard-coded with an https link.

UPDATE: I found it, and fixed it. Session timeouts were redirecting to http. Thanks!


Agreed. I'll make that change.


Not sure I follow this one -- forums, pastebin, planet, etc, don't need to be https.

Thanks for the comments,
-Chris

I just mean in general, don't go from https://*.linode.com/* to http://www.linode.com/members/index.cfm, but I suppose the session timeouts are what were causing that.