Opened 12 years ago
Closed 8 years ago
#1000 closed enhancement (fixed)
Please consider enabling https on trac and forum
Reported by: | fabio | Owned by: | |
---|---|---|---|
Priority: | If Time Permits | Milestone: | Website / Forum |
Component: | Website / Forum | Keywords: | |
Cc: | Brian Stempin | Patch: |
Description
At least with a self signed certificate, but google reveals that at least a CA ( http://www.godaddy.com/ssl/ssl-open-source.aspx ) gives a 1 year free certificate to open source projects. There were too many security problems involving open source projects recently. Https is just a little step on improving security.
Change History (25)
comment:1 by , 12 years ago
Cc: | added |
---|
comment:2 by , 12 years ago
follow-up: 4 comment:3 by , 12 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
We should at least self-sign or something. I'll take this on as a future enhancement.
follow-up: 5 comment:4 by , 12 years ago
Replying to bstempi:
We should at least self-sign or something. I'll take this on as a future enhancement.
Does that mean my browser (Firefox) will show scary warnings when I visit Trac? If so, please don't do that :(
comment:5 by , 12 years ago
Replying to historic_bruno:
Replying to bstempi:
We should at least self-sign or something. I'll take this on as a future enhancement.
Does that mean my browser (Firefox) will show scary warnings when I visit Trac? If so, please don't do that :(
See the first post: godaddy gives free certs to open source projects.
follow-ups: 9 10 comment:6 by , 12 years ago
Free for a year, then seemingly £44/year after that for a single domain. Also it'd most likely need an extra IP address (~€23/year) per domain (at least for the Trac/SVN/etc server, probably not the forums), since SSL is incompatible with virtual hosting. (I did have a self-signed cert on svn.wildfiregames.com for a while, to help people circumvent broken proxies, but got rid of it because it interfered with the virtual hosting.)
comment:7 by , 12 years ago
Milestone: | Backlog → Website / Forum |
---|
comment:8 by , 12 years ago
Priority: | Should Have → If Time Permits |
---|
comment:10 by , 11 years ago
Replying to Philip:
Free for a year, then seemingly £44/year after that for a single domain. Also it'd most likely need an extra IP address (~€23/year) per domain (at least for the Trac/SVN/etc server, probably not the forums), since SSL is incompatible with virtual hosting. (I did have a self-signed cert on svn.wildfiregames.com for a while, to help people circumvent broken proxies, but got rid of it because it interfered with the virtual hosting.)
BTW I am happily using SSL virtual hosting (dozen of SSL sites with different domains using a single certificate with multiple domains on the same server with only 1 IP). IIRC proper support was added with apache 2.2 and recent browsers.
comment:11 by , 10 years ago
Right now there is a self-signed certificate with "localhost", which causes a security warning, if you try to access https. If you ignore the warning and use https regardless, you get all kinds of apache stuff, but not the actual website.
Isn't this something we could just ask our webhost to do, rather than worry about it ourselves? I've had quite a lot of contact with the person in the past days, don't mind sending him an e-mail asking what the possibilities are.
comment:12 by , 10 years ago
There are also free signed Class 1 Certificates available: https://www.startssl.com.
Firefox, and other modern Browsers doesn't cause a warning with StartSSL-Certificates.
follow-up: 14 comment:13 by , 10 years ago
I'd be nice to get this fixed. Right now https://play0ad.com somehow redirects to https://clients.indianamusiceducation.org/manage/ for who knows why.
comment:14 by , 10 years ago
Milestone: | Website / Forum |
---|---|
Resolution: | → wontfix |
Status: | assigned → closed |
Replying to Josh:
I'd be nice to get this fixed. Right now https://play0ad.com somehow redirects to https://clients.indianamusiceducation.org/manage/ for who knows why.
I believe that is a site of our current web host and nothing suspicious.
Anyway I agree with Philip, there's no point to this other than creating an annoyance and cost, so I'm marking it as "wontfix" (personally, I'm glad we weren't using SSL when the recent Heartbleed exploit was discovered, no doubt we would have been using the affected version of OpenSSL)
comment:15 by , 10 years ago
BTW I am happily using SSL virtual hosting (dozen of SSL sites with different domains using a single certificate with multiple domains on the same server with only 1 IP). IIRC proper support was added with apache 2.2 and recent browsers.
http://en.wikipedia.org/wiki/Server_Name_Indication|Apparently it's not supported by IE on WinXP, and Android 2.x - have you tested whether your sites have any problems with those?
I'm glad we weren't using SSL when the recent Heartbleed exploit was discovered, no doubt we would have been using the affected version of OpenSSL
The Trac/SVN server wouldn't have been affected - its version of OpenSSL is too old.
comment:16 by , 10 years ago
Milestone: | → Website / Forum |
---|---|
Resolution: | wontfix |
Status: | closed → reopened |
Another reason supporting this is that Google has started preferring SSL sites in search. We should revisit this after moving to one central server.
comment:17 by , 9 years ago
Owner: | removed |
---|---|
Status: | reopened → new |
comment:18 by , 9 years ago
https://www.globalsign.com/ssl/ssl-open-source/ might be something to consider.
follow-up: 20 comment:19 by , 9 years ago
Just use github as an issue tracker.
Commenting here to register my support for this. Your authentication uses plaintext! I'm in an airport.
My password is "hello" until this is fixed, because having a password at all is worthless.
follow-up: 21 comment:20 by , 9 years ago
Replying to Cokemonkey11:
Just use github as an issue tracker.
Not going to happen.
Also excellent choice of posting your pw in plain text... why not just use hunter2?
Also this is a bug tracker not a forum so your comment does not add anything.
comment:21 by , 9 years ago
Replying to leper:
Replying to Cokemonkey11:
Just use github as an issue tracker.
Not going to happen.
I seem to be the first person to have suggested it. Any chance at some further explanation?
Also excellent choice of posting your pw in plain text... why not just use hunter2?
Also this is a bug tracker not a forum so your comment does not add anything.
Activity and comment density in issues are usually used as indicators of importance. Of course, every project is different. My apologies if I've gone against the grain.
comment:22 by , 9 years ago
Related to discussions around #1814, #1816, #1819 (quite some irc logs and forum topics (possibly not all of them public for the latter)). Same reason as we want to keep our own git server once those tickets are done (control). Moving all the tickets for whatever little gain using github would offer seems like a lot of work.
Yes, and if there are no comments that add anything of value that just creates noise that does not help with deciding if there is some activity or not (apart from the fact that checking with relevant persons on other media (forum, irc, email, etc) would help most with getting an idea). (Not that I'm blaming you for making a mistake the first time you comment here).
A bit more related to this ticket (mostly because it would enable some people with more time to work on such issues) would be a pending server migration (don't hold your breath though).
comment:24 by , 8 years ago
While this seems to have gone quiet it may be worth mentioning that Let's Encrypt (https://letsencrypt.org/) is now trusted and offers free certificates. There are a number of tools which automate the process of renewal as well (depending on what web server is being used):
comment:25 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Well, ladies and gentlemen. It seems good things come to those wait after all.
https://wildfiregames.com/ https://play0ad.com/
Have an encrypted day.
I don't think enabling it on Trac would provide any benefits. The only potentially sensitive information sent to the server is Trac passwords, and that's done with digest authentication so the passwords aren't vulnerable to passive attacks anyway.