Hi,
When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP).
Ok, I switch manually to HTTPS: add "s" in "http://" of the URL.
I log in.
I go to an issue using HTTPS like https://bugs.python.org/issue31250
I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL:
http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
Hum, again I switch manually to HTTPS by modifying the URL:
https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
I click on the "clear this message" link: oops, I'm back to the HTTP world...
http://bugs.python.org/issue31250
So, would it be possible to enforce HTTPS on the bug tracker?
The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS.
Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies?
Victor
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner victor.stinner@gmail.com wrote:
Hi,
When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP).
Ok, I switch manually to HTTPS: add "s" in "http://" of the URL.
I log in.
I go to an issue using HTTPS like https://bugs.python.org/issue31250
I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL:
http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
Hum, again I switch manually to HTTPS by modifying the URL:
https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
I click on the "clear this message" link: oops, I'm back to the HTTP world...
http://bugs.python.org/issue31250
So, would it be possible to enforce HTTPS on the bug tracker?
The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS.
Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies?
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
I also would like the links from bug tracker emails be in https instead of http.
On Sep 1, 2017 6:31 AM, "Antoine Pitrou" solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ mariatta.wijaya%40gmail.com
## HTTP STS - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-S...
## letsencrypt "A free, automated, and open certificate authority."
- Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt - Homepage: https://letsencrypt.org/ - Src: https://github.com/letsencrypt - Docs: https://letsencrypt.readthedocs.io/en/latest/ - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting-certificates... - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#third-party-plugins
### ACME Protocol - Wikipedia: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya mariatta.wijaya@gmail.com wrote:
I also would like the links from bug tracker emails be in https instead of http.
On Sep 1, 2017 6:31 AM, "Antoine Pitrou" solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/mariatta. wijaya%40gmail.com
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ wes.turner%40gmail.com
Here's e.g. Jupyter Notebook w/ letsencrypt in a Makefile:
https://github.com/jupyter/docker-stacks/blob/master/examples/make-deploy/le...
... https://github.com/jupyter/docker-stacks
On Fri, Sep 1, 2017 at 9:08 AM, Wes Turner wes.turner@gmail.com wrote:
## HTTP STS
- Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
Strict-Transport-Security
## letsencrypt "A free, automated, and open certificate authority."
- Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt
- Homepage: https://letsencrypt.org/
- Src: https://github.com/letsencrypt
- Docs: https://letsencrypt.readthedocs.io/en/latest/
- Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting-
certificates-and-choosing-plugins
using.html#third-party-plugins
### ACME Protocol
- Wikipedia: https://en.wikipedia.org/wiki/Automated_
Certificate_Management_Environment
On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya <mariatta.wijaya@gmail.com
wrote:
I also would like the links from bug tracker emails be in https instead of http.
On Sep 1, 2017 6:31 AM, "Antoine Pitrou" solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailma n/options/python-dev/mariatta.wijaya%40gmail.com
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes. turner%40gmail.com
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Regards
Antoine.
On Fri, 1 Sep 2017 15:29:58 +0200 Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
On 9/1/2017 9:36 AM, Antoine Pitrou wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Firefox has both 'extension' and 'plugin' add-ons. "HTTPS Everywhere" is found under 'extensions'. Works great.
On Fri, 1 Sep 2017 15:29:58 +0200 Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
2017-09-01 15:36 GMT+02:00 Antoine Pitrou solipsis@pitrou.net:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
I do have "HTTPS Everywhere" Firefox plugin version 2017.8.31 (so it seems very recent), but it displayed as "obsolete" ("obsolète" in french). I'm using Firefox 55 on Fedora 26. It seems like the plugin has to be updated to use the new WebExtensions API.
https://www.eff.org/https-everywhere
https://github.com/EFForg/https-everywhere/issues/7389
"No. HTTPS Everywhere has already been migrated to WebExtensions. We're unable to switch HTTPSE on Firefox over to WebExtensions until Tor Browser rebases to FF 52 ESR, as I already stated: #7389 (comment)"
"Currently the main blocker to WebExtensions deployment on Firefox is a secure signing mechanism for the self-hosted version. See #9958 (comment)"
In short, it doesn't work :-)
Victor
2017-09-01 16:34 GMT+02:00 Antoine Pitrou antoine@python.org:
I'm using Firefox 55 on Ubuntu 16.04 and it works here. You may be misunderstading what happens :-)
Maybe I misunderstood you when you wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
http://bugs.python.org/issue31234
Victor
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
Regards
Antoine.
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Regards
Antoine.
Oleg.
On Fri, 1 Sep 2017 17:31:00 +0200 Oleg Broytman phd@phdru.name wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html
Perhaps you tweaked your configuration?
Regards
Antoine.
2017-09-01 19:06 GMT+02:00 Antoine Pitrou solipsis@pitrou.net:
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html
Maybe the plugin is also broken, as my setup. Maybe it's related to the recent "multiprocess" major change of Firefox?
Victor
On Fri, Sep 01, 2017 at 07:06:57PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:31:00 +0200 Oleg Broytman phd@phdru.name wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html
Perhaps you tweaked your configuration?
Not for HTTPS Everywhere.
Regards
Antoine.
Oleg.
On 9/1/2017 11:31 AM, Oleg Broytman wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.
Regards
Antoine.
Oleg.
On Fri, Sep 01, 2017 at 02:55:40PM -0400, Terry Reedy tjreedy@udel.edu wrote:
On 9/1/2017 11:31 AM, Oleg Broytman wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner victor.stinner@gmail.com wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.
I upgraded Fox and the extension. http://bugs.python.org now is redirected to https:// Thanks!
Regards
Antoine.
Oleg.
-- Terry Jan Reedy
Oleg.
You're right. It should be bpo configuration issue.
https://hg.python.org/tracker/roundup/file/bugs.python.org/roundup/cgi/clien... https://hg.python.org/tracker/python-dev/file/tip/config.ini.template#l118
I can't real config file used for bpo. But maybe, tracker.web is 'http://bugs.python.org/' instead of 'https://bugs.python.org/' INADA Naoki songofacandy@gmail.com
On Fri, Sep 1, 2017 at 10:29 PM, Antoine Pitrou solipsis@pitrou.net wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki songofacandy@gmail.com wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki songofacandy@gmail.com
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
Fixed. Thanks to infra team. http://psf.upfronthosting.co.za/roundup/meta/issue638
INADA Naoki songofacandy@gmail.com
On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner victor.stinner@gmail.com wrote:
Hi,
When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP).
Ok, I switch manually to HTTPS: add "s" in "http://" of the URL.
I log in.
I go to an issue using HTTPS like https://bugs.python.org/issue31250
I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL:
http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
Hum, again I switch manually to HTTPS by modifying the URL:
https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
I click on the "clear this message" link: oops, I'm back to the HTTP world...
http://bugs.python.org/issue31250
So, would it be possible to enforce HTTPS on the bug tracker?
The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS.
Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies?
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
participants (8)
-
Antoine Pitrou -
Antoine Pitrou -
INADA Naoki -
Mariatta Wijaya -
Oleg Broytman -
Terry Reedy -
Victor Stinner -
Wes Turner