Title HTTPS only version for login for this tracker
Priority urgent Status resolved
Superseder Nosy List Mariatta, ezio.melotti, inada.naoki, loewis, maciej.szulik, mmangoba, ncoghlan, r.david.murray, techtonik, yan12125
Assigned To r.david.murray Topics

Created on 2012-05-22.05:53:46 by techtonik, last changed 2017-09-08.00:22:11 by ezio.melotti.

msg2505 (view) Author: techtonik Date: 2012-05-22.05:53:45
I often use unencrypted public WiFi networks and logging in to this tracker (which doesn't have any OAuth2 interface) imposes a high security risk. I propose to make login secure.
msg2527 (view) Author: loewis Date: 2012-05-25.17:43:58
The risk isn't really high. Just chose a password that you don't use anywhere else, and the threat of somebody stealing it can be safely ignored. Somebody might be posting in your name, but that doesn't scare me at all.
msg2528 (view) Author: techtonik Date: 2012-05-25.20:39:05
I will be interested to know how many developers are using the same password for all * services. Can you run a hash compare check to see that the risk is really not that high?
msg2529 (view) Author: loewis Date: 2012-05-25.22:52:43
Comparing the password hashes is inconclusive; the passwords are salted.

In any case, this issue is about a problem that you perceive for yourself. Whether or not other people feel likewise threatened, we cannot know.
msg2530 (view) Author: r.david.murray Date: 2012-05-29.10:49:00
I use unique passwords for all services for exactly this reason so I, for one, am not worried.
msg2783 (view) Author: techtonik Date: 2013-09-28.05:57:03
I don't use unique password and I believe the next competition organized by some not-well known hacker group may include some Python services just to measure the impact. I don't see any other way to raise the importance of such issues other than transforming them into personal experience.
msg3229 (view) Author: inada.naoki Date: 2017-01-25.06:42:30

> A warning is displayed when a login page does not have a secure connection

I think we should follow "always use HTTPS" trends.
msg3337 (view) Author: Mariatta Date: 2017-04-13.14:20:06
What do we need to move this forward? I would like the bug tracker to always be in https.
msg3339 (view) Author: ncoghlan Date: 2017-04-26.05:29:52
I've added Mark Mangoba (the PSF's Infrastructure Manager) to the nosy list, as the meta-tracker should also be moved to a PSF controlled domain now that itself has been moved to be directly under PSF management rather than being managed by Upfront Systems.
msg3352 (view) Author: maciej.szulik Date: 2017-06-08.05:23:41
We're currently working with Mark to migrate bpo to a different server. I'll make sure this is fixed along the way.
msg3384 (view) Author: ezio.melotti Date: 2017-09-08.00:22:11
This is now fixed thanks to R. David.
Date User Action Args
2017-09-08 00:22:11ezio.melottisetstatus: chatting -> resolved
assignedto: r.david.murray
messages: + msg3384
nosy: + ezio.melotti
2017-06-08 05:23:41maciej.szuliksetnosy: + maciej.szulik
messages: + msg3352
2017-04-26 05:29:52ncoghlansetnosy: + mmangoba, ncoghlan
messages: + msg3339
2017-04-13 14:20:07Mariattasetnosy: + Mariatta
messages: + msg3337
2017-02-13 09:17:06yan12125setnosy: + yan12125
2017-01-25 06:42:31inada.naokisetnosy: + inada.naoki
messages: + msg3229
2016-08-03 05:54:02berker.peksaglinkissue602 superseder
2013-09-28 05:57:03techtoniksetpriority: wish -> urgent
messages: + msg2783
2012-05-29 10:49:00r.david.murraysetnosy: + r.david.murray
messages: + msg2530
2012-05-25 22:52:43loewissetpriority: critical -> wish
messages: + msg2529
2012-05-25 20:39:05techtoniksetpriority: wish -> critical
messages: + msg2528
2012-05-25 17:43:58loewissetstatus: unread -> chatting
nosy: + loewis
messages: + msg2527
2012-05-25 17:42:12loewissetpriority: critical -> wish
2012-05-22 05:53:46techtonikcreate