Login credentials transmitted in cleartext on index.rubygems.org

If someone links their target to http://index.rubygems.org then if they click "sign in" their credentials are transmitted plaintext as there is no https redirect or enforcing of https on the login form. Step 1: Link to http://index.rubuygems.org Step 2: sniff traffic (open wifi / proxy / etc) See the following parameters POST to the session endpoint. The user is confronted with an error since the session cookie is marked secure so they can't continue to logged in resources. But the attacker already has their username and password: Request captured. ``` POST /session HTTP/1.1 Host: index.rubygems.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://index.rubygems.org/sign_in Cookie: _gauges_unique_hour=1; _gauges_unique_day=1; _gauges_unique_month=1; _gauges_unique_year=1; _gauges_unique=1; _ga=GA1.2.406017651.1475277378 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache ``` Post Data Captured: ``` utf8=✓ authenticity_token=9dML75aXwXcw4rqJlOeKDK2/SdRK78+5ciMEtrMbDgEf160r9v1TX0/pXynzDC+pYSp5M1oGLsmtvkixo+MfdA== session[who]=Eterm1 session[password]=5[redacted]W commit=Sign+in ``` Furthermore, _rubygems_session cookie is transmitted over http. It has a "secure" flag which stops the client resubmitting over http, but an attacker can see it clear in the response headers.