Opened 12 years ago

Closed 8 years ago

#1000 closed enhancement (fixed)

Please consider enabling https on trac and forum

Reported by: fabio Owned by:
Priority: If Time Permits Milestone: Website / Forum
Component: Website / Forum Keywords:
Cc: Brian Stempin Patch:

Description

At least with a self signed certificate, but google reveals that at least a CA ( http://www.godaddy.com/ssl/ssl-open-source.aspx ) gives a 1 year free certificate to open source projects. There were too many security problems involving open source projects recently. Https is just a little step on improving security.

Change History (25)

comment:1 by Erik Johansson, 12 years ago

Cc: Brian Stempin added

comment:2 by Philip Taylor, 12 years ago

I don't think enabling it on Trac would provide any benefits. The only potentially sensitive information sent to the server is Trac passwords, and that's done with digest authentication so the passwords aren't vulnerable to passive attacks anyway.

comment:3 by Brian Stempin, 12 years ago

Owner: set to Brian Stempin
Status: newassigned

We should at least self-sign or something. I'll take this on as a future enhancement.

in reply to:  3 ; comment:4 by historic_bruno, 12 years ago

Replying to bstempi:

We should at least self-sign or something. I'll take this on as a future enhancement.

Does that mean my browser (Firefox) will show scary warnings when I visit Trac? If so, please don't do that :(

in reply to:  4 comment:5 by fabio, 12 years ago

Replying to historic_bruno:

Replying to bstempi:

We should at least self-sign or something. I'll take this on as a future enhancement.

Does that mean my browser (Firefox) will show scary warnings when I visit Trac? If so, please don't do that :(

See the first post: godaddy gives free certs to open source projects.

comment:6 by Philip Taylor, 12 years ago

Free for a year, then seemingly £44/year after that for a single domain. Also it'd most likely need an extra IP address (~€23/year) per domain (at least for the Trac/SVN/etc server, probably not the forums), since SSL is incompatible with virtual hosting. (I did have a self-signed cert on svn.wildfiregames.com for a while, to help people circumvent broken proxies, but got rid of it because it interfered with the virtual hosting.)

comment:7 by Kieran P, 12 years ago

Milestone: BacklogWebsite / Forum

comment:8 by historic_bruno, 12 years ago

Priority: Should HaveIf Time Permits

in reply to:  6 comment:9 by historic_bruno, 11 years ago

Could we use StartSSL Free?

in reply to:  6 comment:10 by fabio, 11 years ago

Replying to Philip:

Free for a year, then seemingly £44/year after that for a single domain. Also it'd most likely need an extra IP address (~€23/year) per domain (at least for the Trac/SVN/etc server, probably not the forums), since SSL is incompatible with virtual hosting. (I did have a self-signed cert on svn.wildfiregames.com for a while, to help people circumvent broken proxies, but got rid of it because it interfered with the virtual hosting.)

BTW I am happily using SSL virtual hosting (dozen of SSL sites with different domains using a single certificate with multiple domains on the same server with only 1 IP). IIRC proper support was added with apache 2.2 and recent browsers.

Last edited 11 years ago by fabio (previous) (diff)

comment:11 by Jan Middelkoop, 10 years ago

Right now there is a self-signed certificate with "localhost", which causes a security warning, if you try to access https. If you ignore the warning and use https regardless, you get all kinds of apache stuff, but not the actual website.

Isn't this something we could just ask our webhost to do, rather than worry about it ourselves? I've had quite a lot of contact with the person in the past days, don't mind sending him an e-mail asking what the possibilities are.

comment:12 by pointhi, 10 years ago

There are also free signed Class 1 Certificates available: https://www.startssl.com.

Firefox, and other modern Browsers doesn't cause a warning with StartSSL-Certificates.

comment:13 by Josh, 10 years ago

I'd be nice to get this fixed. Right now https://play0ad.com somehow redirects to https://clients.indianamusiceducation.org/manage/ for who knows why.

in reply to:  13 comment:14 by historic_bruno, 10 years ago

Milestone: Website / Forum
Resolution: wontfix
Status: assignedclosed

Replying to Josh:

I'd be nice to get this fixed. Right now https://play0ad.com somehow redirects to https://clients.indianamusiceducation.org/manage/ for who knows why.

I believe that is a site of our current web host and nothing suspicious.

Anyway I agree with Philip, there's no point to this other than creating an annoyance and cost, so I'm marking it as "wontfix" (personally, I'm glad we weren't using SSL when the recent Heartbleed exploit was discovered, no doubt we would have been using the affected version of OpenSSL)

comment:15 by Philip Taylor, 10 years ago

BTW I am happily using SSL virtual hosting (dozen of SSL sites with different domains using a single certificate with multiple domains on the same server with only 1 IP). IIRC proper support was added with apache 2.2 and recent browsers.

http://en.wikipedia.org/wiki/Server_Name_Indication|Apparently it's not supported by IE on WinXP, and Android 2.x - have you tested whether your sites have any problems with those?

I'm glad we weren't using SSL when the recent ​Heartbleed exploit was discovered, no doubt we would have been using the affected version of OpenSSL

The Trac/SVN server wouldn't have been affected - its version of OpenSSL is too old.

comment:16 by Josh, 10 years ago

Milestone: Website / Forum
Resolution: wontfix
Status: closedreopened

Another reason supporting this is that Google has started preferring SSL sites in search. We should revisit this after moving to one central server.

comment:17 by historic_bruno, 9 years ago

Owner: Brian Stempin removed
Status: reopenednew

comment:19 by Blake, 9 years ago

Just use github as an issue tracker.

Commenting here to register my support for this. Your authentication uses plaintext! I'm in an airport.

My password is "hello" until this is fixed, because having a password at all is worthless.

in reply to:  19 ; comment:20 by leper, 9 years ago

Replying to Cokemonkey11:

Just use github as an issue tracker.

Not going to happen.

Also excellent choice of posting your pw in plain text... why not just use hunter2?

Also this is a bug tracker not a forum so your comment does not add anything.

in reply to:  20 comment:21 by Blake, 9 years ago

Replying to leper:

Replying to Cokemonkey11:

Just use github as an issue tracker.

Not going to happen.

I seem to be the first person to have suggested it. Any chance at some further explanation?

Also excellent choice of posting your pw in plain text... why not just use hunter2?

Also this is a bug tracker not a forum so your comment does not add anything.

Activity and comment density in issues are usually used as indicators of importance. Of course, every project is different. My apologies if I've gone against the grain.

comment:22 by leper, 9 years ago

Related to discussions around #1814, #1816, #1819 (quite some irc logs and forum topics (possibly not all of them public for the latter)). Same reason as we want to keep our own git server once those tickets are done (control). Moving all the tickets for whatever little gain using github would offer seems like a lot of work.

Yes, and if there are no comments that add anything of value that just creates noise that does not help with deciding if there is some activity or not (apart from the fact that checking with relevant persons on other media (forum, irc, email, etc) would help most with getting an idea). (Not that I'm blaming you for making a mistake the first time you comment here).

A bit more related to this ticket (mostly because it would enable some people with more time to work on such issues) would be a pending server migration (don't hold your breath though).

comment:23 by Raymond, 9 years ago

Any updates?

comment:24 by smitec, 8 years ago

While this seems to have gone quiet it may be worth mentioning that Let's Encrypt (https://letsencrypt.org/) is now trusted and offers free certificates. There are a number of tools which automate the process of renewal as well (depending on what web server is being used):

https://github.com/letsencrypt/letsencrypt

https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certificate

comment:25 by Jan Middelkoop, 8 years ago

Resolution: fixed
Status: newclosed

Well, ladies and gentlemen. It seems good things come to those wait after all.

https://wildfiregames.com/ https://play0ad.com/

Have an encrypted day.

Note: See TracTickets for help on using tickets.