issues.roundup-tracker.org does not support HTTPS.

All sites — especially sites providing logins — should support HTTPS and enforce it 
with HSTS>

I agree that it would be nice to have a HTTPS support for 
issues.roundup-tracker.org
and http://www.roundup-tracker.org/
wiki.roundup-tracker.org

So thanks for reminding us.
With https://en.wikipedia.org/wiki/Let%27s_Encrypt it should be fairly
easy to get https started.

As for HSTS I have a tendency to consider it less useful, the reason is
that it may make access harder to the information on the side and a lot
of info is valuable without TLS as well.

What do you mean by "may make access harder to the information on the side"?

All web browsers support HTTPS.

Bernhard, have you talked to the python.org folks (IIRC) about
getting this under https?

At the very least encrypting logins would be good.

We just had a spam login from a user whose password was changed
by an admin back in 2009. So I am not sure how the spam was posted
(maybe email), but securing the tracker needs to be done.

@paulschreiber:

World wide a number of users cannot use HTTPS easily.
Two major reasons:
a) elder browsers (on old tablets, phone or computer with operating
systems, with no updates available for a number of reasons).
b) surveillance or censorship breaks or block HTTPS

@rouilj:
Here is my last status (which did not make it to the list, though it
should have), I haven't checked further.
The os update should have solved the problems the Python folks
had with their Let's encrypt client, I guess.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Infrastructure] [Roundup-devel]
https://issues.roundup-tracker.org/ is python bug tracker??
Datum: Freitag 12 Mai 2017, 18:55:38
Von: Mark Mangoba <mmangoba@python.org>
An: "R. David Murray" <rdmurray@bitdance.com>
Kopie:  Bernhard Reiter <bernhard@intevation.de>,
roundup-devel@lists.sourceforge.net, "infrastructure@python.org
infrastructure" <infrastructure@python.org>

I am planning to schedule an upgrade of bugs.python.org from Debian 6 to 7
next week, this should ultimately fix the issue as well as keep bugs
healthy.

At the moment, I am working with the hosting provider if its possible to
create a snapshot of the VM so we can simulate and test the upgrade.

I should provide an update later next week on status and schedule.

Best regards,
Mark

What you're stating is not true.

- HTTPS has been supported since 1994.
- Modern HTTPS is widely supported
-- TLSv1.0+ has been supported since IE6 (2001), Firefox 2 (2006), Chrome 1 (2008)
-- SNI has been supported since IE7 (2006), Firefox 2, Chrome 6, Safari 3.1. On mobile, 
it's been supported since iOS 4 and Android 3.

I am not sure what you mean by HSTS making "access harder to the information on the 
side" or "and a lot of info is valuable without TLS as well."

The entire internet is moving to HTTPS. As of November 2017, 45% of page loads are 
HTTPS (Firefox telemetry). The Google HTTPS Transparency Report --
https://transparencyreport.google.com/https/overview -- has more data, showing 76% of 
US page loads are HTTPS, and 86% of US browsing time is HTTPS.

In most cases, sites for technical users (GitHub, GitLab, Sourceforge, python.org, ruby-
lang.org, golang.org, etc.) have lead the way.

Even the stereotypically slow-moving US government is mandating HTTPS: 
https://https.cio.gov/

Usually it's only folks with less technical sophistication who require convincing.

I'm genuinely perplexed by your resistance. (Perhaps someone has hacked your account, 
or you're just trolling me.)

Hi Paul:

Regarding HTTPS: it would be very nice to have. It is just who gets
around doing the work and detangle the dependencies with the Python
trackers.

Regarding: Enforcing HTTPS, which I believe HSTS does:
I'm not sure about the downsides.

For both potential downsides I gave there are examples:
a) applicances inspecting/breaking HTTPS connections and causing problems.
   E.g. see
   https://jhalderm.com/pub/papers/interception-ndss17.pdf
   It is a study that shows that a significant fraction of HTTPS traffic
   is negatively influences by such applicances.

b) Countries or Companies blocking HTTPS access, an example is
   that the Chinese Wikipedia was blocked by China because of the
   use of HTTPS. (According to Wikipedia at
https://en.wikipedia.org/wiki/Internet_censorship_in_China )

Added issue2550861 as it is the same issue.

What's actually the problem that prevents the use of HTTPS?

I see that bugs.python.org is hosted on the same IP address (using https) 
- is that preventing issues.roundup-tracker.org using https on the same 
IP address?

Someone doing the system administration work.

With the upgrade of the os by the python folks, we now have https
certs:

https://issues.roundup-tracker.org/issue2550940

works.

Also HSTS is set:

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

The main page http://www.roundup-tracker.org/ still points
to http for the tracker.

Agreed. However the http connection is redirected to https at the 
tracker. So after the first redirect HSTS should kick in so
that all connections to issues are done over TLS. So that helps.

Also http://www.roundup-tracker.org/ is not under TLS, so
that link from the homepage could be reset to http on the fly.
I would be more concerned about the tracker link reference
to http if www.roundup-tracker.org were under https.

I have changed all the references to http://issues in the website
subdirectory and just checked it in. So whoever does the next
deployment should get the updated link.

-- rouilj

Note it would be good to have a link to the python infrastructure
that we are sharing. I haven't been able to easily find more details
about the move and created the following issue with Python's documentation:

https://github.com/python/psf-salt/issues/165

The webpages are updated now.