Bugs item #1263239, was opened at 2005-08-18 17:25 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web/CGI Group: None Status: Open Resolution: None Priority: 5 Submitted By: Daniel (doolyo) Assigned to: Nobody/Anonymous (nobody) Summary: Mailman on SSL sends passwords in plain text Initial Comment: I have tried putting Mailman on a secure path of my server on an https url. It seemed to work approximately when adding the following directive in apache: RewriteCond %{HTTPS} !=on RewriteRule /mailman/(.*) https://www\.mysite\.com/mailman/$1 [R] However, I have sniffed the TCP/HTTP traffic during a list creation and I have seen that all the form is posted IN CLEAR. This is normal in fact as we send that to the http link first (see Bug Request #1263219). Therefore the whole test is sent in clear and only afterwards the client receives back the document move to https from apache to redirect to the proper page. I think that this could be solved if all links of the mailman binaries (admin, create and so forth) are taking dynamically the link specified in the mm_cfg.py, in the DEFAULT_URL_HOST tag. However maybe there is another clean way of putting that on a secure url. If so I would be interested in how to do that because I didn't find anything about that subject appart people doing all like I did. Thanks, Daniel ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103