Bug report #8465

Enable https for any connection where the password is submitted

Added by Matthias Kuhn about 7 years ago. Updated over 6 years ago.

Status:Closed
Priority:High
Assignee:-
Category:-
Affected QGIS version:master Regression?:No
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:fixed/implemented
Crashes QGIS or corrupts data:No Copied to github as #:17233

Description

Enable encryption for any http connection, where the password gets submitted (like hub.qgis.org)

Adding this as a blocker for 2.0, because it's really, really, really time this gets fixed.

History

#1 Updated by Nathan Woodrow about 7 years ago

  • Priority changed from Severe/Regression to High

This isn't a blocker for the release because it's website related and we can change that after release.

#2 Updated by Andreas Neumann about 7 years ago

It seems that there are no certificates available at the server - so no https connection possible currently. A task for the new Infrastructure PSC member.

#3 Updated by Matthias Kuhn about 7 years ago

Tim told me, that the certificate is available and only needs to be set up.

This is a critical vulnerability and not only a cosmetic fix, as it affects the security of our server. This means obviously the website, but also the binaries and plugins hosted there. This means also, that anybody who uses this password somewhere else, will have also have his mail account / company server or whatever it is compromised.
I would therefore like to get rid of this issue for 2.0 and not postpone it.

#4 Updated by Matthias Kuhn almost 7 years ago

AFAIK @Pirmin_K has setup this certificate at least for https://issues.qgis.org. Thanks a lot.

Are there any other services affected which should be secured and are not yet?
Can we redirect the http version of hub.qgis.org to https, so people who are too lazy to type the scheme name will also benefit from this setup?

#5 Updated by Jürgen Fischer almost 7 years ago

Matthias Kuhn wrote:

AFAIK @Pirmin_K has setup this certificate at least for https://issues.qgis.org. Thanks a lot.

Yes, he did.

Can we redirect the http version of hub.qgis.org to https, so people who are too lazy to type the scheme name will also benefit from this setup?

Only the login page currently gets redirected to https.

#6 Updated by Paolo Cavallini over 6 years ago

  • Target version changed from Version 2.0.0 to Future Release - High Priority

#7 Updated by Jürgen Fischer over 6 years ago

  • Target version deleted (Future Release - High Priority)

#8 Updated by Jürgen Fischer over 6 years ago

  • Resolution set to fixed/implemented
  • Status changed from Open to Closed

not a application problem - but also not a redmine problem anymore - because we're using https to login there now.

Also available in: Atom PDF