Hi,
I announced my concerns on Discord already, but got no reaction, so I post it here as well to have it properly archived. "A colleague just noticed that the registration for the issue tracker is HTTP-only. This is not an appropriate choice for sensitive data like a password. Any possibilities to make this HTTPS-only? Link: http://tracker.pharo.org/issues-register-service, setting https:// manually does not work" From my perspective this is a serious problem that should be quickly addressed, it's not just a nice to have feature. Not treating sensitive data with proper care leaves an image of not caring about user security and looks unprofessional. I don't think that is what Pharo needs. Cheers, Manuel |
On 13 June 2018 at 16:25, Manuel Leuenberger <[hidden email]> wrote: Hi, Thanks for raising this. You're concerns are valid, but in the meantime until someone can change it to https, just use a temporary password and immediately change it the first time you log onto Fogbugz - which is a https service. @all, If its difficult to add https to it, then perhaps at least a not can be added to advise using a temporary password. cheers -ben |
In reply to this post by Manuel Leuenberger
Hello,
yes, we really need to setup SSL for that server. I will have a look next week. > On 13 Jun 2018, at 10:25, Manuel Leuenberger <[hidden email]> wrote: > > Hi, > > I announced my concerns on Discord already, but got no reaction, so I post it here as well to have it properly archived. > > "A colleague just noticed that the registration for the issue tracker is HTTP-only. This is not an appropriate choice for sensitive data like a password. Any possibilities to make this HTTPS-only? > Link: http://tracker.pharo.org/issues-register-service, setting https:// manually does not work" > > From my perspective this is a serious problem that should be quickly addressed, it's not just a nice to have feature. Not treating sensitive data with proper care leaves an image of not caring about user security and looks unprofessional. I don't think that is what Pharo needs. > > Cheers, > Manuel |
I think Let’s Encrypt can be your friend (that seems to be the instructions all of the providers give - e.g. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).
Alternatively - and this applies more to Pharo.org - why not stick it on Netlify (https://www.netlify.com/docs/welcome/) which does https for you. I was amazed how much it does by checking your site off git and even offers some dynamic hooks too. I am still sizing up porting my metalsmith generated site to something pillar based - but the concept is the same and depending on how you do things, it might be quite trivial. Tim
|
Hi,
I have found a simple workaround (not yet the final solution): Please check: https://tracker.pharo.org/issues-register-service
|
Free forum by Nabble | Edit this page |