Roundup Tracker - Issues

Issue 2550940

classification
Title: issues.roundup-tracker.org does not support HTTPS
Type: security Severity: major
Components: Web interface Versions:
process
Status: new Resolution:
Dependencies: Superseder: HTTPS is a must
View: 2550861
Assigned To: Nosy List: ber, paulschreiber, rouilj
Priority: Keywords:

Created on 2017-04-29 17:19 by paulschreiber, last changed 2018-06-07 00:11 by rouilj.

Messages
msg5969 Author: [hidden] (paulschreiber) Date: 2017-04-29 17:19
issues.roundup-tracker.org does not support HTTPS.

All sites — especially sites providing logins — should support HTTPS and enforce it 
with HSTS>
msg5973 Author: [hidden] (ber) Date: 2017-05-09 14:18
I agree that it would be nice to have a HTTPS support for 
issues.roundup-tracker.org
and http://www.roundup-tracker.org/
wiki.roundup-tracker.org

So thanks for reminding us.
With https://en.wikipedia.org/wiki/Let%27s_Encrypt it should be fairly
easy to get https started.

As for HSTS I have a tendency to consider it less useful, the reason is
that it may make access harder to the information on the side and a lot
of info is valuable without TLS as well.
msg5974 Author: [hidden] (paulschreiber) Date: 2017-05-09 16:12
What do you mean by "may make access harder to the information on the side"?

All web browsers support HTTPS.
msg5995 Author: [hidden] (rouilj) Date: 2017-07-29 01:11
Bernhard, have you talked to the python.org folks (IIRC) about
getting this under https?

At the very least encrypting logins would be good.

We just had a spam login from a user whose password was changed
by an admin back in 2009. So I am not sure how the spam was posted
(maybe email), but securing the tracker needs to be done.
msg5997 Author: [hidden] (ber) Date: 2017-07-31 07:53
@paulschreiber:

World wide a number of users cannot use HTTPS easily.
Two major reasons:
a) elder browsers (on old tablets, phone or computer with operating
systems, with no updates available for a number of reasons).
b) surveillance or censorship breaks or block HTTPS

@rouilj:
Here is my last status (which did not make it to the list, though it
should have), I haven't checked further.
The os update should have solved the problems the Python folks
had with their Let's encrypt client, I guess.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Infrastructure] [Roundup-devel]
https://issues.roundup-tracker.org/ is python bug tracker??
Datum: Freitag 12 Mai 2017, 18:55:38
Von: Mark Mangoba <mmangoba@python.org>
An: "R. David Murray" <rdmurray@bitdance.com>
Kopie:  Bernhard Reiter <bernhard@intevation.de>,
roundup-devel@lists.sourceforge.net, "infrastructure@python.org
infrastructure" <infrastructure@python.org>

I am planning to schedule an upgrade of bugs.python.org from Debian 6 to 7
next week, this should ultimately fix the issue as well as keep bugs
healthy.

At the moment, I am working with the hosting provider if its possible to
create a snapshot of the VM so we can simulate and test the upgrade.

I should provide an update later next week on status and schedule.

Best regards,
Mark
msg6052 Author: [hidden] (paulschreiber) Date: 2017-12-05 04:24
What you're stating is not true.

- HTTPS has been supported since 1994.
- Modern HTTPS is widely supported
-- TLSv1.0+ has been supported since IE6 (2001), Firefox 2 (2006), Chrome 1 (2008)
-- SNI has been supported since IE7 (2006), Firefox 2, Chrome 6, Safari 3.1. On mobile, 
it's been supported since iOS 4 and Android 3.

I am not sure what you mean by HSTS making "access harder to the information on the 
side" or "and a lot of info is valuable without TLS as well."

The entire internet is moving to HTTPS. As of November 2017, 45% of page loads are 
HTTPS (Firefox telemetry). The Google HTTPS Transparency Report --
https://transparencyreport.google.com/https/overview -- has more data, showing 76% of 
US page loads are HTTPS, and 86% of US browsing time is HTTPS.

In most cases, sites for technical users (GitHub, GitLab, Sourceforge, python.org, ruby-
lang.org, golang.org, etc.) have lead the way.

Even the stereotypically slow-moving US government is mandating HTTPS: 
https://https.cio.gov/

Usually it's only folks with less technical sophistication who require convincing.

I'm genuinely perplexed by your resistance. (Perhaps someone has hacked your account, 
or you're just trolling me.)
msg6053 Author: [hidden] (ber) Date: 2017-12-13 11:29
Hi Paul:

Regarding HTTPS: it would be very nice to have. It is just who gets
around doing the work and detangle the dependencies with the Python
trackers.

Regarding: Enforcing HTTPS, which I believe HSTS does:
I'm not sure about the downsides.

For both potential downsides I gave there are examples:
a) applicances inspecting/breaking HTTPS connections and causing problems.
   E.g. see
   https://jhalderm.com/pub/papers/interception-ndss17.pdf
   It is a study that shows that a significant fraction of HTTPS traffic
   is negatively influences by such applicances.

b) Countries or Companies blocking HTTPS access, an example is
   that the Chinese Wikipedia was blocked by China because of the
   use of HTTPS. (According to Wikipedia at
https://en.wikipedia.org/wiki/Internet_censorship_in_China )
msg6082 Author: [hidden] (rouilj) Date: 2018-06-07 00:11
Added issue2550861 as it is the same issue.
History
Date User Action Args
2018-06-07 00:11:22rouiljsetsuperseder: HTTPS is a must
messages: + msg6082
2017-12-13 11:29:47bersetmessages: + msg6053
2017-12-05 04:24:34paulschreibersetmessages: + msg6052
2017-07-31 07:53:52bersetmessages: + msg5997
2017-07-29 01:11:43rouiljsetnosy: + rouilj, ber
messages: + msg5995
2017-05-09 16:12:17paulschreibersetnosy: - ber
messages: + msg5974
2017-05-09 14:18:09bersetnosy: + ber
messages: + msg5973
2017-04-29 17:19:51paulschreibercreate