Hi, When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP). Ok, I switch manually to HTTPS: add "s" in "http://" of the URL. I log in. I go to an issue using HTTPS like https://bugs.python.org/issue31250 I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL: http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%... Hum, again I switch manually to HTTPS by modifying the URL: https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%... I click on the "clear this message" link: oops, I'm back to the HTTP world... http://bugs.python.org/issue31250 So, would it be possible to enforce HTTPS on the bug tracker? The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS. Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies? Victor
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP).
Ok, I switch manually to HTTPS: add "s" in "http://" of the URL.
I log in.
I go to an issue using HTTPS like https://bugs.python.org/issue31250
I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL:
http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
Hum, again I switch manually to HTTPS by modifying the URL:
https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
I click on the "clear this message" link: oops, I'm back to the HTTP world...
http://bugs.python.org/issue31250
So, would it be possible to enforce HTTPS on the bug tracker?
The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS.
Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies?
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access. Regards Antoine.
I also would like the links from bug tracker emails be in https instead of http. On Sep 1, 2017 6:31 AM, "Antoine Pitrou" <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ mariatta.wijaya%40gmail.com
## HTTP STS - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-S... - https://https.cio.gov/hsts/ ## letsencrypt "A free, automated, and open certificate authority." - Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt - Homepage: https://letsencrypt.org/ - Src: https://github.com/letsencrypt - Docs: https://letsencrypt.readthedocs.io/en/latest/ - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting-certificates... - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#third-party-plugins ### ACME Protocol - Wikipedia: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya <mariatta.wijaya@gmail.com> wrote:
I also would like the links from bug tracker emails be in https instead of http.
On Sep 1, 2017 6:31 AM, "Antoine Pitrou" <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/mariatta. wijaya%40gmail.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ wes.turner%40gmail.com
Here's e.g. Jupyter Notebook w/ letsencrypt in a Makefile: https://github.com/jupyter/docker-stacks/blob/master/examples/make-deploy/le... ... https://github.com/jupyter/docker-stacks On Fri, Sep 1, 2017 at 9:08 AM, Wes Turner <wes.turner@gmail.com> wrote:
## HTTP STS - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ Strict-Transport-Security
## letsencrypt "A free, automated, and open certificate authority."
- Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt - Homepage: https://letsencrypt.org/ - Src: https://github.com/letsencrypt - Docs: https://letsencrypt.readthedocs.io/en/latest/ - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting- certificates-and-choosing-plugins - Docs: https://letsencrypt.readthedocs.io/en/latest/ using.html#third-party-plugins
### ACME Protocol - Wikipedia: https://en.wikipedia.org/wiki/Automated_ Certificate_Management_Environment
On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya <mariatta.wijaya@gmail.com
wrote:
I also would like the links from bug tracker emails be in https instead of http.
On Sep 1, 2017 6:31 AM, "Antoine Pitrou" <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailma n/options/python-dev/mariatta.wijaya%40gmail.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes. turner%40gmail.com
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox. Regards Antoine. On Fri, 1 Sep 2017 15:29:58 +0200 Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
On 9/1/2017 9:36 AM, Antoine Pitrou wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Firefox has both 'extension' and 'plugin' add-ons. "HTTPS Everywhere" is found under 'extensions'. Works great.
On Fri, 1 Sep 2017 15:29:58 +0200 Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
-- Terry Jan Reedy
2017-09-01 15:36 GMT+02:00 Antoine Pitrou <solipsis@pitrou.net>:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
I do have "HTTPS Everywhere" Firefox plugin version 2017.8.31 (so it seems very recent), but it displayed as "obsolete" ("obsolète" in french). I'm using Firefox 55 on Fedora 26. It seems like the plugin has to be updated to use the new WebExtensions API. https://www.eff.org/https-everywhere https://github.com/EFForg/https-everywhere/issues/7389 "No. HTTPS Everywhere has already been migrated to WebExtensions. We're unable to switch HTTPSE on Firefox over to WebExtensions until Tor Browser rebases to FF 52 ESR, as I already stated: #7389 (comment)" "Currently the main blocker to WebExtensions deployment on Firefox is a secure signing mechanism for the self-hosted version. See #9958 (comment)" In short, it doesn't work :-) Victor
2017-09-01 16:34 GMT+02:00 Antoine Pitrou <antoine@python.org>:
I'm using Firefox 55 on Ubuntu 16.04 and it works here. You may be misunderstading what happens :-)
Maybe I misunderstood you when you wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page: https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created For me, the "clear this message" link is HTTP, not HTTPS: http://bugs.python.org/issue31234 Victor
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless. Regards Antoine.
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Regards
Antoine.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On Fri, 1 Sep 2017 17:31:00 +0200 Oleg Broytman <phd@phdru.name> wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html Perhaps you tweaked your configuration? Regards Antoine.
2017-09-01 19:06 GMT+02:00 Antoine Pitrou <solipsis@pitrou.net>:
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html
Maybe the plugin is also broken, as my setup. Maybe it's related to the recent "multiprocess" major change of Firefox? Victor
On Fri, Sep 01, 2017 at 07:06:57PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:31:00 +0200 Oleg Broytman <phd@phdru.name> wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
That's surprising. It's definitely part of the standard rules (enabled by default): https://www.eff.org/https-everywhere/atlas/domains/python.org.html
Perhaps you tweaked your configuration?
Not for HTTPS Everywhere.
Regards
Antoine.
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On 9/1/2017 11:31 AM, Oleg Broytman wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.
Regards
Antoine.
Oleg.
-- Terry Jan Reedy
On Fri, Sep 01, 2017 at 02:55:40PM -0400, Terry Reedy <tjreedy@udel.edu> wrote:
On 9/1/2017 11:31 AM, Oleg Broytman wrote:
On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 17:03:59 +0200 Victor Stinner <victor.stinner@gmail.com> wrote:
And by the way the problem goes away if you use the "HTTPS Everywhere" plugin for Firefox.
Try for example this page:
https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
For me, the "clear this message" link is HTTP, not HTTPS:
Sure, but if you click on this link, it will go to the HTTPS version nevertheless.
It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.
I upgraded Fox and the extension. http://bugs.python.org now is redirected to https:// Thanks!
Regards
Antoine.
Oleg. -- Terry Jan Reedy
Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
You're right. It should be bpo configuration issue. https://hg.python.org/tracker/roundup/file/bugs.python.org/roundup/cgi/clien... https://hg.python.org/tracker/python-dev/file/tip/config.ini.template#l118 I can't real config file used for bpo. But maybe, tracker.web is 'http://bugs.python.org/' instead of 'https://bugs.python.org/' INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 10:29 PM, Antoine Pitrou <solipsis@pitrou.net> wrote:
On Fri, 1 Sep 2017 22:15:29 +0900 INADA Naoki <songofacandy@gmail.com> wrote:
FYI, there is issue report for it. http://psf.upfronthosting.co.za/roundup/meta/issue463 INADA Naoki <songofacandy@gmail.com>
That issue is about making the tracker HTTPS-only, but fixing internal links to point to the HTTPS site would already go a long way, even without switching off HTTP access.
Regards
Antoine.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
Fixed. Thanks to infra team. http://psf.upfronthosting.co.za/roundup/meta/issue638 INADA Naoki <songofacandy@gmail.com> On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
When I go to http://bugs.python.org/ Firefox warns me that the form on the left to login (user, password) sends data in clear text (HTTP).
Ok, I switch manually to HTTPS: add "s" in "http://" of the URL.
I log in.
I go to an issue using HTTPS like https://bugs.python.org/issue31250
I modify an issue using the form and click on [Submit Changes] (or just press Enter): I'm back to HTTP. Truncated URL:
http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
Hum, again I switch manually to HTTPS by modifying the URL:
https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
I click on the "clear this message" link: oops, I'm back to the HTTP world...
http://bugs.python.org/issue31250
So, would it be possible to enforce HTTPS on the bug tracker?
The best would be to always generate HTTPS urls and *maybe* redirect HTTP to HTTPS.
Sorry, I don't know what are the best practices. For example, should we use HTTPS only cookies?
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
participants (8)
-
Antoine Pitrou -
Antoine Pitrou -
INADA Naoki -
Mariatta Wijaya -
Oleg Broytman -
Terry Reedy -
Victor Stinner -
Wes Turner