Avatars loading over HTTP instead of HTTPS in the online demo

Artanis · July 23, 2018, 7:43am

Q1. What is the problem that you are trying to solve?
I noticed that the green lock in my browser turned yellow after setting up some avatars for users. I checked it with FF Developer Tools and it turned out that the avatars are loading over plain HTTP instead of HTTPS.
If I fix the url to **https://**passbolt-avatars.s3.amazonaws.com/images/Avatar… the lock turns green.

Q2 - Who is impacted?
I think everyone (?)

Q3 - Why is it important and/or urgent?
I don’t think it’s a huge security flaw but I think it’s needless to explain why it is important a load everything via https.

Q4 - What is your proposed solution? (optional)
Fix the source code

kevin · July 23, 2018, 8:05am

Hi @Artanis,
Thanks for the report.
I can indeed reproduce this. Note that this is only happening with the online demo and is probably related to its configuration (I changed the title to reflect this).
In any case, it should be fixed. I created a task in our backlog to handle this promptly.

Artanis · July 23, 2018, 8:13am

Thanks a lot for the quick response!