View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000169 | Main CAcert Website | website content | public | 2006-03-08 23:32 | 2013-01-14 01:32 |
| Reporter | tomek | Assigned To | Sourcerer | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Fixed in Version | 2006 | ||||
| Summary | 0000169: Use https for bugs.cacert.org | ||||
| Description | I think that bugs.cacert.org should be made accessible via https, not (at least *not only*) via http. As using bugs.cacert.org requires giving a username and a password, I'd rather not send them in plain (not encrypted) form. Thank you. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
Had to restart my browser to be able to access the site again. But now it looks good. I wonder from a security point of view if it is a risk that now the *.cacert.org ssl certificate is stored on 202.87.16.200 aswell. Until today this machine was meant to be on a lower security level, wasn't it? |
|
|
a certificate for *.cacert.org was on .200 already, the question needing to be asked is there any significant benefit in 2 certificates with the same/similar attributes, or use one... |
|
|
works for me |
|
|
Oh, I oversaw the recent discussion. Hmm, I would issue a certificate with subjectAltNames for all the specific subdomains instead. That way it can´t be abused for www.cacert.org and secure.cacert.org (but it is more work in case we want to add a new domain on that machine). I wouldn´t classify the security risk too high, so I leave the decision for someone else who wants to decide. |
|
|
FYI I get the following error since https when I change a comment. I don't know if it is related. APPLICATION ERROR # 203 ERREUR : id doit être un nombre. (=> "id must be a number") |
|
|
what URL do you go to to get that error? During the URL redirection you get a message saying "Operation successful" (something like this in french) then you get the message => you've found the way to reproduce the "mantis" bug (I don't remember of it before https:// ... but it was a long time ago before you updated Mantis because of security bugs) Anyway, despite the error message, the changed message is updated, as you can read |
|
|
I had the same error making a change to this page, it's a mantis bug, but I think I can fix it with mod_rewrite in apache config... Nope can't fix it, guess we should check for upgrades/patches... Upgraded to 1.0.5 (2006-07-24) Known bug, was fixed in CVS, I've updated to the fixed file, hoping this works... Updated file didn't fix the problem... temp fix posted to the mantis bug tracker... http://bugs.mantisbt.org/view.php?id=7116 |
|
|
the URL is rewritten incorrectly https://bugs.cacert.org/view.php?id=169%23bugnotes should be https://bugs.cacert.org/view.php?id=169#bugnotes it only bugs when modifying the message... |
|
|
Back to the security stuff again: I'd including each subdomain into a new cert instead of *.cacert.org. I don't think that we should put too much trust in the security of mantis, moinmoin, etc. |
|
|
Mantis/Moin etc shouldn't have access to the private key since it's owned/grouped to root and mod 600 and apache drops privledges once it starts up... I think subjectAltNames is the only option, a different certificate won't work since TLS isn't implemented correctly in apache and/or browsers... so the choice is a wildcard, or multiple hostnames, and I don't think either will buy us much in the way of security if the domain is hijacked... If anyone wants to discuss this further can we do so on a mailing list, or at least a new bug, this is way off topic for the bug we're adding notes to... |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-03-08 23:32 | tomek | New Issue | |
| 2006-08-16 05:33 | duane | Status | new => needs work |
| 2006-08-16 05:33 | duane | Assigned To | => Sourcerer |
| 2006-08-16 05:34 | duane | Status | needs work => solved? |
| 2006-08-16 05:34 | duane | Fixed in Version | => production |
| 2006-08-16 05:34 | duane | Resolution | open => fixed |
| 2006-08-16 06:02 |
|
Note Added: 0000505 | |
| 2006-08-16 06:23 | duane | Note Added: 0000506 | |
| 2006-08-16 06:46 | Sourcerer | Status | solved? => closed |
| 2006-08-16 06:47 | Sourcerer | Note Added: 0000508 | |
| 2006-08-16 06:54 | Sourcerer | Note Added: 0000510 | |
| 2006-08-16 07:08 | homer | Note Added: 0000511 | |
| 2006-08-16 07:27 | duane | Note Added: 0000512 | |
| 2006-08-16 07:29 | duane | Note View State: 511: public | |
| 2006-08-16 07:31 | duane | Note Added: 0000513 | |
| 2006-08-16 07:31 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:33 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:36 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:37 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:37 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:39 | homer | Note Edited: 0000512 | |
| 2006-08-16 07:40 | homer | Note Edited: 0000512 | |
| 2006-08-16 07:44 | homer | Note Edited: 0000512 | |
| 2006-08-16 07:44 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:45 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:45 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:46 | homer | Note Added: 0000514 | |
| 2006-08-16 07:47 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:47 | homer | Note Edited: 0000514 | |
| 2006-08-16 07:48 | homer | Note Edited: 0000514 | |
| 2006-08-16 07:51 | duane | Note Edited: 0000513 | |
| 2006-08-16 07:51 | duane | Note View State: 514: public | |
| 2006-08-16 07:54 | duane | Note View State: 514: private | |
| 2006-08-16 07:54 | duane | Note View State: 514: public | |
| 2006-08-16 17:08 |
|
Note Added: 0000542 | |
| 2006-08-16 18:06 | duane | Note Added: 0000545 | |
| 2013-01-14 01:32 | Werner Dworak | Fixed in Version | => 2006 |
