Hi, When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP). Ok, I switch manually to HTTPS: add "s" in "http://" of the URL. I log in. I go to an issue using HTTPS like https://bugs.python.org/issue31250 I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL: http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%... Hum, again I switch manually to HTTPS by modifying the URL: https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%... I click on the "clear this message" link: oops, I'm back to the HTTP world... http://bugs.python.org/issue31250 So, would it be possible to enforce HTTPS on the bug tracker? The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS. Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies? Victor
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
## HTTP STS - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-S... - https://https.cio.gov/hsts/ ## letsencrypt "A free, automated, and open certificate authority." - Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt - Homepage: https://letsencrypt.org/ - Src: https://github.com/letsencrypt - Docs: https://letsencrypt.readthedocs.io/en/latest/ - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting-certificates... - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#third-party-plugins ### ACME Protocol - Wikipedia: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya <mariatta.wijaya@gmail.com> wrote:
Here's e.g. Jupyter Notebook w/ letsencrypt in a Makefile: https://github.com/jupyter/docker-stacks/blob/master/examples/make-deploy/le... ... https://github.com/jupyter/docker-stacks On Fri, Sep 1, 2017 at 9:08 AM, Wes Turner <wes.turner@gmail.com> wrote:
2017-09-01 15:36 GMT+02:00 Antoine Pitrou <solipsis@pitrou.net>:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
I do have "HTTPS Everywhere" Firefox plugin version 2017.8.31 (so it seems very recent), but it displayed as "obsolete" ("obsolète" in french). I'm using Firefox 55 on Fedora 26. It seems like the plugin has to be updated to use the new WebExtensions API. https://www.eff.org/https-everywhere https://github.com/EFForg/https-everywhere/issues/7389 "No. HTTPS Everywhere has already been migrated to WebExtensions. We're unable to switch HTTPSE on Firefox over to WebExtensions until Tor Browser rebases to FF 52 ESR, as I already stated: #7389 (comment)" "Currently the main blocker to WebExtensions deployment on Firefox is a secure signing mechanism for the self-hosted version. See #9958 (comment)" In short, it doesn't work :-) Victor
2017-09-01 16:34 GMT+02:00 Antoine Pitrou <antoine@python.org>:
I'm using Firefox 55 on Ubuntu 16.04 and it works here. You may be misunderstading what happens :-)
Maybe I misunderstood you when you wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page: https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created For me, the "clear this message" link is HTTP, not HTTPS: http://bugs.python.org/issue31234 Victor
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Regards
Antoine.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On Fri, 1 Sep 2017 17:31:00 +0200 Oleg Broytman <phd@phdru.name> wrote:
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html Perhaps you tweaked your configuration? Regards Antoine.
On Fri, Sep 01, 2017 at 07:06:57PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
Not for HTTPS Everywhere.
Regards
Antoine.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On Fri, Sep 01, 2017 at 02:55:40PM -0400, Terry Reedy <tjreedy@udel.edu> wrote:
I upgraded Fox and the extension. http://bugs.python.org now is redirected to https:// Thanks!
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
You're right. It should be bpo configuration issue. https://hg.python.org/tracker/roundup/file/bugs.python.org/roundup/cgi/clien... https://hg.python.org/tracker/python-dev/file/tip/config.ini.template#l118 I can't real config file used for bpo. But maybe, tracker.web is 'http://bugs.python.org/' instead of 'https://bugs.python.org/' INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 10:29 PM, Antoine Pitrou <solipsis@pitrou.net> wrote:
Fixed. Thanks to infra team. http://psf.upfronthosting.co.za/roundup/meta/issue638 INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
participants (8)
-
Antoine Pitrou -
Antoine Pitrou -
INADA Naoki -
Mariatta Wijaya -
Oleg Broytman -
Terry Reedy -
Victor Stinner -
Wes Turner