View Issue Details

IDProjectCategoryView StatusLast Update
0000169Main CAcert Websitewebsite contentpublic2013-01-14 01:32
Reportertomek Assigned ToSourcerer  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
PlatformMain CAcert WebsiteOSN/A 
Fixed in Version2006 
Summary0000169: Use https for bugs.cacert.org
DescriptionI think that bugs.cacert.org should be made accessible via https, not (at least *not only*) via http.
As using bugs.cacert.org requires giving a username and a password, I'd rather not send them in plain (not encrypted) form.
Thank you.
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

bluec

2006-08-16 06:02

manager   ~0000505

Had to restart my browser to be able to access the site again. But now it looks good.

I wonder from a security point of view if it is a risk that now the *.cacert.org ssl certificate is stored on 202.87.16.200 aswell. Until today this machine was meant to be on a lower security level, wasn't it?

duane

2006-08-16 06:23

developer   ~0000506

a certificate for *.cacert.org was on .200 already, the question needing to be asked is there any significant benefit in 2 certificates with the same/similar attributes, or use one...

Sourcerer

2006-08-16 06:46

administrator   ~0000508

works for me

Sourcerer

2006-08-16 06:54

administrator   ~0000510

Oh, I oversaw the recent discussion.
Hmm, I would issue a certificate with subjectAltNames for all the specific subdomains instead. That way it can´t be abused for www.cacert.org and secure.cacert.org (but it is more work in case we want to add a new domain on that machine). I wouldn´t classify the security risk too high, so I leave the decision for someone else who wants to decide.

homer

2006-08-16 07:08

reporter   ~0000511

FYI

I get the following error since https when I change a comment. I don't know if it is related.


APPLICATION ERROR # 203

ERREUR : id doit être un nombre. (=> "id must be a number")

duane

2006-08-16 07:27

developer   ~0000512

Last edited: 2006-08-16 07:44

what URL do you go to to get that error?

During the URL redirection you get a message saying "Operation successful" (something like this in french) then you get the message

=> you've found the way to reproduce the "mantis" bug (I don't remember of it before https:// ... but it was a long time ago before you updated Mantis because of security bugs)

Anyway, despite the error message, the changed message is updated, as you can read

duane

2006-08-16 07:31

developer   ~0000513

Last edited: 2006-08-16 07:51

I had the same error making a change to this page, it's a mantis bug, but I think I can fix it with mod_rewrite in apache config...

Nope can't fix it, guess we should check for upgrades/patches...

Upgraded to 1.0.5 (2006-07-24)

Known bug, was fixed in CVS, I've updated to the fixed file, hoping this works...

Updated file didn't fix the problem...

temp fix posted to the mantis bug tracker...

http://bugs.mantisbt.org/view.php?id=7116

homer

2006-08-16 07:46

reporter   ~0000514

Last edited: 2006-08-16 07:48

the URL is rewritten incorrectly

https://bugs.cacert.org/view.php?id=169%23bugnotes
should be
https://bugs.cacert.org/view.php?id=169#bugnotes

it only bugs when modifying the message...

bluec

2006-08-16 17:08

manager   ~0000542

Back to the security stuff again:

I'd including each subdomain into a new cert instead of *.cacert.org. I don't think that we should put too much trust in the security of mantis, moinmoin, etc.

duane

2006-08-16 18:06

developer   ~0000545

Mantis/Moin etc shouldn't have access to the private key since it's owned/grouped to root and mod 600 and apache drops privledges once it starts up...

I think subjectAltNames is the only option, a different certificate won't work since TLS isn't implemented correctly in apache and/or browsers...

so the choice is a wildcard, or multiple hostnames, and I don't think either will buy us much in the way of security if the domain is hijacked...

If anyone wants to discuss this further can we do so on a mailing list, or at least a new bug, this is way off topic for the bug we're adding notes to...

Issue History

Date Modified Username Field Change
2006-03-08 23:32 tomek New Issue
2006-08-16 05:33 duane Status new => needs work
2006-08-16 05:33 duane Assigned To => Sourcerer
2006-08-16 05:34 duane Status needs work => solved?
2006-08-16 05:34 duane Fixed in Version => production
2006-08-16 05:34 duane Resolution open => fixed
2006-08-16 06:02 bluec Note Added: 0000505
2006-08-16 06:23 duane Note Added: 0000506
2006-08-16 06:46 Sourcerer Status solved? => closed
2006-08-16 06:47 Sourcerer Note Added: 0000508
2006-08-16 06:54 Sourcerer Note Added: 0000510
2006-08-16 07:08 homer Note Added: 0000511
2006-08-16 07:27 duane Note Added: 0000512
2006-08-16 07:29 duane Note View State: 511: public
2006-08-16 07:31 duane Note Added: 0000513
2006-08-16 07:31 duane Note Edited: 0000513
2006-08-16 07:33 duane Note Edited: 0000513
2006-08-16 07:36 duane Note Edited: 0000513
2006-08-16 07:37 duane Note Edited: 0000513
2006-08-16 07:37 duane Note Edited: 0000513
2006-08-16 07:39 homer Note Edited: 0000512
2006-08-16 07:40 homer Note Edited: 0000512
2006-08-16 07:44 homer Note Edited: 0000512
2006-08-16 07:44 duane Note Edited: 0000513
2006-08-16 07:45 duane Note Edited: 0000513
2006-08-16 07:45 duane Note Edited: 0000513
2006-08-16 07:46 homer Note Added: 0000514
2006-08-16 07:47 duane Note Edited: 0000513
2006-08-16 07:47 homer Note Edited: 0000514
2006-08-16 07:48 homer Note Edited: 0000514
2006-08-16 07:51 duane Note Edited: 0000513
2006-08-16 07:51 duane Note View State: 514: public
2006-08-16 07:54 duane Note View State: 514: private
2006-08-16 07:54 duane Note View State: 514: public
2006-08-16 17:08 bluec Note Added: 0000542
2006-08-16 18:06 duane Note Added: 0000545
2013-01-14 01:32 Werner Dworak Fixed in Version => 2006