Issue 2550940
Created on 2017-04-29 17:19 by paulschreiber, last changed 2019-03-06 09:27 by ber.
Messages | |||
---|---|---|---|
msg5969 | Author: [hidden] (paulschreiber) | Date: 2017-04-29 17:19 | |
issues.roundup-tracker.org does not support HTTPS. All sites — especially sites providing logins — should support HTTPS and enforce it with HSTS> |
|||
msg5973 | Author: [hidden] (ber) | Date: 2017-05-09 14:18 | |
I agree that it would be nice to have a HTTPS support for issues.roundup-tracker.org and http://www.roundup-tracker.org/ wiki.roundup-tracker.org So thanks for reminding us. With https://en.wikipedia.org/wiki/Let%27s_Encrypt it should be fairly easy to get https started. As for HSTS I have a tendency to consider it less useful, the reason is that it may make access harder to the information on the side and a lot of info is valuable without TLS as well. |
|||
msg5974 | Author: [hidden] (paulschreiber) | Date: 2017-05-09 16:12 | |
What do you mean by "may make access harder to the information on the side"? All web browsers support HTTPS. |
|||
msg5995 | Author: [hidden] (rouilj) | Date: 2017-07-29 01:11 | |
Bernhard, have you talked to the python.org folks (IIRC) about getting this under https? At the very least encrypting logins would be good. We just had a spam login from a user whose password was changed by an admin back in 2009. So I am not sure how the spam was posted (maybe email), but securing the tracker needs to be done. |
|||
msg5997 | Author: [hidden] (ber) | Date: 2017-07-31 07:53 | |
@paulschreiber: World wide a number of users cannot use HTTPS easily. Two major reasons: a) elder browsers (on old tablets, phone or computer with operating systems, with no updates available for a number of reasons). b) surveillance or censorship breaks or block HTTPS @rouilj: Here is my last status (which did not make it to the list, though it should have), I haven't checked further. The os update should have solved the problems the Python folks had with their Let's encrypt client, I guess. ---------- Weitergeleitete Nachricht ---------- Betreff: Re: [Infrastructure] [Roundup-devel] https://issues.roundup-tracker.org/ is python bug tracker?? Datum: Freitag 12 Mai 2017, 18:55:38 Von: Mark Mangoba <mmangoba@python.org> An: "R. David Murray" <rdmurray@bitdance.com> Kopie: Bernhard Reiter <bernhard@intevation.de>, roundup-devel@lists.sourceforge.net, "infrastructure@python.org infrastructure" <infrastructure@python.org> I am planning to schedule an upgrade of bugs.python.org from Debian 6 to 7 next week, this should ultimately fix the issue as well as keep bugs healthy. At the moment, I am working with the hosting provider if its possible to create a snapshot of the VM so we can simulate and test the upgrade. I should provide an update later next week on status and schedule. Best regards, Mark |
|||
msg6052 | Author: [hidden] (paulschreiber) | Date: 2017-12-05 04:24 | |
What you're stating is not true. - HTTPS has been supported since 1994. - Modern HTTPS is widely supported -- TLSv1.0+ has been supported since IE6 (2001), Firefox 2 (2006), Chrome 1 (2008) -- SNI has been supported since IE7 (2006), Firefox 2, Chrome 6, Safari 3.1. On mobile, it's been supported since iOS 4 and Android 3. I am not sure what you mean by HSTS making "access harder to the information on the side" or "and a lot of info is valuable without TLS as well." The entire internet is moving to HTTPS. As of November 2017, 45% of page loads are HTTPS (Firefox telemetry). The Google HTTPS Transparency Report -- https://transparencyreport.google.com/https/overview -- has more data, showing 76% of US page loads are HTTPS, and 86% of US browsing time is HTTPS. In most cases, sites for technical users (GitHub, GitLab, Sourceforge, python.org, ruby- lang.org, golang.org, etc.) have lead the way. Even the stereotypically slow-moving US government is mandating HTTPS: https://https.cio.gov/ Usually it's only folks with less technical sophistication who require convincing. I'm genuinely perplexed by your resistance. (Perhaps someone has hacked your account, or you're just trolling me.) |
|||
msg6053 | Author: [hidden] (ber) | Date: 2017-12-13 11:29 | |
Hi Paul: Regarding HTTPS: it would be very nice to have. It is just who gets around doing the work and detangle the dependencies with the Python trackers. Regarding: Enforcing HTTPS, which I believe HSTS does: I'm not sure about the downsides. For both potential downsides I gave there are examples: a) applicances inspecting/breaking HTTPS connections and causing problems. E.g. see https://jhalderm.com/pub/papers/interception-ndss17.pdf It is a study that shows that a significant fraction of HTTPS traffic is negatively influences by such applicances. b) Countries or Companies blocking HTTPS access, an example is that the Chinese Wikipedia was blocked by China because of the use of HTTPS. (According to Wikipedia at https://en.wikipedia.org/wiki/Internet_censorship_in_China ) |
|||
msg6082 | Author: [hidden] (rouilj) | Date: 2018-06-07 00:11 | |
Added issue2550861 as it is the same issue. |
|||
msg6155 | Author: [hidden] (cmeerw) | Date: 2018-08-01 06:46 | |
What's actually the problem that prevents the use of HTTPS? I see that bugs.python.org is hosted on the same IP address (using https) - is that preventing issues.roundup-tracker.org using https on the same IP address? |
|||
msg6174 | Author: [hidden] (ber) | Date: 2018-08-06 12:56 | |
Someone doing the system administration work. |
|||
msg6340 | Author: [hidden] (rouilj) | Date: 2019-02-13 00:20 | |
With the upgrade of the os by the python folks, we now have https certs: https://issues.roundup-tracker.org/issue2550940 works. Also HSTS is set: Strict-Transport-Security: max-age=63072000; includeSubdomains; preload |
|||
msg6341 | Author: [hidden] (ber) | Date: 2019-02-13 07:35 | |
The main page http://www.roundup-tracker.org/ still points to http for the tracker. |
|||
msg6342 | Author: [hidden] (rouilj) | Date: 2019-02-13 11:31 | |
Agreed. However the http connection is redirected to https at the tracker. So after the first redirect HSTS should kick in so that all connections to issues are done over TLS. So that helps. Also http://www.roundup-tracker.org/ is not under TLS, so that link from the homepage could be reset to http on the fly. I would be more concerned about the tracker link reference to http if www.roundup-tracker.org were under https. I have changed all the references to http://issues in the website subdirectory and just checked it in. So whoever does the next deployment should get the updated link. -- rouilj |
|||
msg6366 | Author: [hidden] (ber) | Date: 2019-03-06 09:03 | |
Note it would be good to have a link to the python infrastructure that we are sharing. I haven't been able to easily find more details about the move and created the following issue with Python's documentation: https://github.com/python/psf-salt/issues/165 |
|||
msg6367 | Author: [hidden] (ber) | Date: 2019-03-06 09:27 | |
The webpages are updated now. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2019-03-06 09:27:29 | ber | set | status: open -> fixed messages: + msg6367 |
2019-03-06 09:03:32 | ber | set | messages: + msg6366 |
2019-02-13 11:31:54 | rouilj | set | messages: + msg6342 |
2019-02-13 07:35:42 | ber | set | status: closed -> open |
2019-02-13 07:35:31 | ber | set | messages: + msg6341 |
2019-02-13 00:20:41 | rouilj | set | status: new -> closed resolution: fixed messages: + msg6340 |
2018-08-06 12:56:31 | ber | set | messages: + msg6174 |
2018-08-01 06:46:40 | cmeerw | set | nosy:
+ cmeerw messages: + msg6155 |
2018-06-07 00:11:22 | rouilj | set | superseder: HTTPS is a must messages: + msg6082 |
2017-12-13 11:29:47 | ber | set | messages: + msg6053 |
2017-12-05 04:24:34 | paulschreiber | set | messages: + msg6052 |
2017-07-31 07:53:52 | ber | set | messages: + msg5997 |
2017-07-29 01:11:43 | rouilj | set | nosy:
+ rouilj, ber messages: + msg5995 |
2017-05-09 16:12:17 | paulschreiber | set | nosy:
- ber messages: + msg5974 |
2017-05-09 14:18:09 | ber | set | nosy:
+ ber messages: + msg5973 |
2017-04-29 17:19:51 | paulschreiber | create |