Created on 2017-04-29 17:19 by paulschreiber, last changed 2017-12-13 11:29 by ber.
|msg5969||Author: [hidden] (paulschreiber)||Date: 2017-04-29 17:19|
issues.roundup-tracker.org does not support HTTPS. All sites — especially sites providing logins — should support HTTPS and enforce it with HSTS>
|msg5973||Author: [hidden] (ber)||Date: 2017-05-09 14:18|
I agree that it would be nice to have a HTTPS support for issues.roundup-tracker.org and http://www.roundup-tracker.org/ wiki.roundup-tracker.org So thanks for reminding us. With https://en.wikipedia.org/wiki/Let%27s_Encrypt it should be fairly easy to get https started. As for HSTS I have a tendency to consider it less useful, the reason is that it may make access harder to the information on the side and a lot of info is valuable without TLS as well.
|msg5974||Author: [hidden] (paulschreiber)||Date: 2017-05-09 16:12|
What do you mean by "may make access harder to the information on the side"? All web browsers support HTTPS.
|msg5995||Author: [hidden] (rouilj)||Date: 2017-07-29 01:11|
Bernhard, have you talked to the python.org folks (IIRC) about getting this under https? At the very least encrypting logins would be good. We just had a spam login from a user whose password was changed by an admin back in 2009. So I am not sure how the spam was posted (maybe email), but securing the tracker needs to be done.
|msg5997||Author: [hidden] (ber)||Date: 2017-07-31 07:53|
@paulschreiber: World wide a number of users cannot use HTTPS easily. Two major reasons: a) elder browsers (on old tablets, phone or computer with operating systems, with no updates available for a number of reasons). b) surveillance or censorship breaks or block HTTPS @rouilj: Here is my last status (which did not make it to the list, though it should have), I haven't checked further. The os update should have solved the problems the Python folks had with their Let's encrypt client, I guess. ---------- Weitergeleitete Nachricht ---------- Betreff: Re: [Infrastructure] [Roundup-devel] https://issues.roundup-tracker.org/ is python bug tracker?? Datum: Freitag 12 Mai 2017, 18:55:38 Von: Mark Mangoba <firstname.lastname@example.org> An: "R. David Murray" <email@example.com> Kopie: Bernhard Reiter <firstname.lastname@example.org>, email@example.com, "firstname.lastname@example.org infrastructure" <email@example.com> I am planning to schedule an upgrade of bugs.python.org from Debian 6 to 7 next week, this should ultimately fix the issue as well as keep bugs healthy. At the moment, I am working with the hosting provider if its possible to create a snapshot of the VM so we can simulate and test the upgrade. I should provide an update later next week on status and schedule. Best regards, Mark
|msg6052||Author: [hidden] (paulschreiber)||Date: 2017-12-05 04:24|
What you're stating is not true. - HTTPS has been supported since 1994. - Modern HTTPS is widely supported -- TLSv1.0+ has been supported since IE6 (2001), Firefox 2 (2006), Chrome 1 (2008) -- SNI has been supported since IE7 (2006), Firefox 2, Chrome 6, Safari 3.1. On mobile, it's been supported since iOS 4 and Android 3. I am not sure what you mean by HSTS making "access harder to the information on the side" or "and a lot of info is valuable without TLS as well." The entire internet is moving to HTTPS. As of November 2017, 45% of page loads are HTTPS (Firefox telemetry). The Google HTTPS Transparency Report -- https://transparencyreport.google.com/https/overview -- has more data, showing 76% of US page loads are HTTPS, and 86% of US browsing time is HTTPS. In most cases, sites for technical users (GitHub, GitLab, Sourceforge, python.org, ruby- lang.org, golang.org, etc.) have lead the way. Even the stereotypically slow-moving US government is mandating HTTPS: https://https.cio.gov/ Usually it's only folks with less technical sophistication who require convincing. I'm genuinely perplexed by your resistance. (Perhaps someone has hacked your account, or you're just trolling me.)
|msg6053||Author: [hidden] (ber)||Date: 2017-12-13 11:29|
Hi Paul: Regarding HTTPS: it would be very nice to have. It is just who gets around doing the work and detangle the dependencies with the Python trackers. Regarding: Enforcing HTTPS, which I believe HSTS does: I'm not sure about the downsides. For both potential downsides I gave there are examples: a) applicances inspecting/breaking HTTPS connections and causing problems. E.g. see https://jhalderm.com/pub/papers/interception-ndss17.pdf It is a study that shows that a significant fraction of HTTPS traffic is negatively influences by such applicances. b) Countries or Companies blocking HTTPS access, an example is that the Chinese Wikipedia was blocked by China because of the use of HTTPS. (According to Wikipedia at https://en.wikipedia.org/wiki/Internet_censorship_in_China )
|2017-12-13 11:29:47||ber||set||messages: + msg6053|
|2017-12-05 04:24:34||paulschreiber||set||messages: + msg6052|
|2017-07-31 07:53:52||ber||set||messages: + msg5997|
+ rouilj, ber|
messages: + msg5995
messages: + msg5974
messages: + msg5973