Bug report #8465
Enable https for any connection where the password is submitted
| Status: | Closed | ||
|---|---|---|---|
| Priority: | High | ||
| Assignee: | - | ||
| Category: | - | ||
| Affected QGIS version: | master | Regression?: | No |
| Operating System: | Easy fix?: | No | |
| Pull Request or Patch supplied: | No | Resolution: | fixed/implemented |
| Crashes QGIS or corrupts data: | No | Copied to github as #: | 17233 |
Description
Enable encryption for any http connection, where the password gets submitted (like hub.qgis.org)
Adding this as a blocker for 2.0, because it's really, really, really time this gets fixed.
History
#1
Updated by Nathan Woodrow over 10 years ago
- Priority changed from Severe/Regression to High
This isn't a blocker for the release because it's website related and we can change that after release.
#2
Updated by Andreas Neumann over 10 years ago
It seems that there are no certificates available at the server - so no https connection possible currently. A task for the new Infrastructure PSC member.
#3
Updated by Matthias Kuhn over 10 years ago
Tim told me, that the certificate is available and only needs to be set up.
This is a critical vulnerability and not only a cosmetic fix, as it affects the security of our server. This means obviously the website, but also the binaries and plugins hosted there. This means also, that anybody who uses this password somewhere else, will have also have his mail account / company server or whatever it is compromised.
I would therefore like to get rid of this issue for 2.0 and not postpone it.
#4
Updated by Matthias Kuhn over 10 years ago
AFAIK @Pirmin_K has setup this certificate at least for https://issues.qgis.org. Thanks a lot.
Are there any other services affected which should be secured and are not yet?
Can we redirect the http version of hub.qgis.org to https, so people who are too lazy to type the scheme name will also benefit from this setup?
#5
Updated by Jürgen Fischer over 10 years ago
Matthias Kuhn wrote:
AFAIK @Pirmin_K has setup this certificate at least for https://issues.qgis.org. Thanks a lot.
Yes, he did.
Can we redirect the http version of hub.qgis.org to https, so people who are too lazy to type the scheme name will also benefit from this setup?
Only the login page currently gets redirected to https.
#6
Updated by Paolo Cavallini about 10 years ago
- Target version changed from Version 2.0.0 to Future Release - High Priority
#7
Updated by Jürgen Fischer about 10 years ago
- Target version deleted (
Future Release - High Priority)
#8
Updated by Jürgen Fischer about 10 years ago
- Resolution set to fixed/implemented
- Status changed from Open to Closed
not a application problem - but also not a redmine problem anymore - because we're using https to login there now.