Roundup Tracker - Issues

Issue 2550940

Title: does not support HTTPS
Type: security Severity: major
Components: Web interface Versions:
Status: fixed Resolution: fixed
Dependencies: Superseder: HTTPS is a must
View: 2550861
Assigned To: Nosy List: ber, cmeerw, paulschreiber, rouilj
Priority: Keywords:

Created on 2017-04-29 17:19 by paulschreiber, last changed 2019-03-06 09:27 by ber.

msg5969 Author: [hidden] (paulschreiber) Date: 2017-04-29 17:19 does not support HTTPS.

All sites — especially sites providing logins — should support HTTPS and enforce it 
with HSTS>
msg5973 Author: [hidden] (ber) Date: 2017-05-09 14:18
I agree that it would be nice to have a HTTPS support for

So thanks for reminding us.
With it should be fairly
easy to get https started.

As for HSTS I have a tendency to consider it less useful, the reason is
that it may make access harder to the information on the side and a lot
of info is valuable without TLS as well.
msg5974 Author: [hidden] (paulschreiber) Date: 2017-05-09 16:12
What do you mean by "may make access harder to the information on the side"?

All web browsers support HTTPS.
msg5995 Author: [hidden] (rouilj) Date: 2017-07-29 01:11
Bernhard, have you talked to the folks (IIRC) about
getting this under https?

At the very least encrypting logins would be good.

We just had a spam login from a user whose password was changed
by an admin back in 2009. So I am not sure how the spam was posted
(maybe email), but securing the tracker needs to be done.
msg5997 Author: [hidden] (ber) Date: 2017-07-31 07:53

World wide a number of users cannot use HTTPS easily.
Two major reasons:
a) elder browsers (on old tablets, phone or computer with operating
systems, with no updates available for a number of reasons).
b) surveillance or censorship breaks or block HTTPS

Here is my last status (which did not make it to the list, though it
should have), I haven't checked further.
The os update should have solved the problems the Python folks
had with their Let's encrypt client, I guess.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Infrastructure] [Roundup-devel] is python bug tracker??
Datum: Freitag 12 Mai 2017, 18:55:38
Von: Mark Mangoba <>
An: "R. David Murray" <>
Kopie:  Bernhard Reiter <>,, "
infrastructure" <>

I am planning to schedule an upgrade of from Debian 6 to 7
next week, this should ultimately fix the issue as well as keep bugs

At the moment, I am working with the hosting provider if its possible to
create a snapshot of the VM so we can simulate and test the upgrade.

I should provide an update later next week on status and schedule.

Best regards,
msg6052 Author: [hidden] (paulschreiber) Date: 2017-12-05 04:24
What you're stating is not true.

- HTTPS has been supported since 1994.
- Modern HTTPS is widely supported
-- TLSv1.0+ has been supported since IE6 (2001), Firefox 2 (2006), Chrome 1 (2008)
-- SNI has been supported since IE7 (2006), Firefox 2, Chrome 6, Safari 3.1. On mobile, 
it's been supported since iOS 4 and Android 3.

I am not sure what you mean by HSTS making "access harder to the information on the 
side" or "and a lot of info is valuable without TLS as well."

The entire internet is moving to HTTPS. As of November 2017, 45% of page loads are 
HTTPS (Firefox telemetry). The Google HTTPS Transparency Report -- -- has more data, showing 76% of 
US page loads are HTTPS, and 86% of US browsing time is HTTPS.

In most cases, sites for technical users (GitHub, GitLab, Sourceforge,, ruby-,, etc.) have lead the way.

Even the stereotypically slow-moving US government is mandating HTTPS:

Usually it's only folks with less technical sophistication who require convincing.

I'm genuinely perplexed by your resistance. (Perhaps someone has hacked your account, 
or you're just trolling me.)
msg6053 Author: [hidden] (ber) Date: 2017-12-13 11:29
Hi Paul:

Regarding HTTPS: it would be very nice to have. It is just who gets
around doing the work and detangle the dependencies with the Python

Regarding: Enforcing HTTPS, which I believe HSTS does:
I'm not sure about the downsides.

For both potential downsides I gave there are examples:
a) applicances inspecting/breaking HTTPS connections and causing problems.
   E.g. see
   It is a study that shows that a significant fraction of HTTPS traffic
   is negatively influences by such applicances.

b) Countries or Companies blocking HTTPS access, an example is
   that the Chinese Wikipedia was blocked by China because of the
   use of HTTPS. (According to Wikipedia at )
msg6082 Author: [hidden] (rouilj) Date: 2018-06-07 00:11
Added issue2550861 as it is the same issue.
msg6155 Author: [hidden] (cmeerw) Date: 2018-08-01 06:46
What's actually the problem that prevents the use of HTTPS?

I see that is hosted on the same IP address (using https) 
- is that preventing using https on the same 
IP address?
msg6174 Author: [hidden] (ber) Date: 2018-08-06 12:56
Someone doing the system administration work.
msg6340 Author: [hidden] (rouilj) Date: 2019-02-13 00:20
With the upgrade of the os by the python folks, we now have https


Also HSTS is set:

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
msg6341 Author: [hidden] (ber) Date: 2019-02-13 07:35
The main page still points
to http for the tracker.
msg6342 Author: [hidden] (rouilj) Date: 2019-02-13 11:31
Agreed. However the http connection is redirected to https at the 
tracker. So after the first redirect HSTS should kick in so
that all connections to issues are done over TLS. So that helps.

Also is not under TLS, so
that link from the homepage could be reset to http on the fly.
I would be more concerned about the tracker link reference
to http if were under https.

I have changed all the references to http://issues in the website
subdirectory and just checked it in. So whoever does the next
deployment should get the updated link.

-- rouilj
msg6366 Author: [hidden] (ber) Date: 2019-03-06 09:03
Note it would be good to have a link to the python infrastructure
that we are sharing. I haven't been able to easily find more details
about the move and created the following issue with Python's documentation:
msg6367 Author: [hidden] (ber) Date: 2019-03-06 09:27
The webpages are updated now.
Date User Action Args
2019-03-06 09:27:29bersetstatus: open -> fixed
messages: + msg6367
2019-03-06 09:03:32bersetmessages: + msg6366
2019-02-13 11:31:54rouiljsetmessages: + msg6342
2019-02-13 07:35:42bersetstatus: closed -> open
2019-02-13 07:35:31bersetmessages: + msg6341
2019-02-13 00:20:41rouiljsetstatus: new -> closed
resolution: fixed
messages: + msg6340
2018-08-06 12:56:31bersetmessages: + msg6174
2018-08-01 06:46:40cmeerwsetnosy: + cmeerw
messages: + msg6155
2018-06-07 00:11:22rouiljsetsuperseder: HTTPS is a must
messages: + msg6082
2017-12-13 11:29:47bersetmessages: + msg6053
2017-12-05 04:24:34paulschreibersetmessages: + msg6052
2017-07-31 07:53:52bersetmessages: + msg5997
2017-07-29 01:11:43rouiljsetnosy: + rouilj, ber
messages: + msg5995
2017-05-09 16:12:17paulschreibersetnosy: - ber
messages: + msg5974
2017-05-09 14:18:09bersetnosy: + ber
messages: + msg5973
2017-04-29 17:19:51paulschreibercreate