About 5 years ago, the justification for not running bugzilla on HTTPS was "We give editbugs permissions out to virtually anyone who asks, so permissions don't mean very much. It's a lot of work to move to secure HTTP. If you're using the same password for bugzilla as for other sites, well, you shouldn't be."

I believe this is still valid for editbugs. However, if someone stole my password (or another bugzilla admin's), and was feeling malicious, things would become much more unpleasant.

End of the day, if someone had the motivation to do it, it wouldn't hurt.

Created attachment 58893 [details]
My Server's SSL Configuration File

I find that SSL can make client authentication passwordless, as demonstrated in my server's SSL config file.  I do so by comparing the incomming client certificate's e-mail address against my database (mysql biz.custinfo.email), and if there's a match, the client is authenticated without asking for a password.  The user, however, would have to click on a link above the login and password fields to attempt the passwordless authentication.

My current setup will trust only GlobalSign certificates for passwordless client authentication.  GlobalSign http://www.globalsign.net/ will never issue a certificate without first verifying the identity of the applicants.  I have trusted GlobalSign for three years so far.

GlobalSign's demo certificates are an exception to the rule.  The demo certs are signed by the Primary Class 1.  However, they are NOT chained to the GlobalSign Root Master certificate in any way.  This allows Apache to trust the Root certificate without any security problems.

One problem though is, I am not familiar with perl.  So if I am allowed to assist in getting bugzilla working with SSL, I will need assistance from a perl developer.  I will attatch my mysql.php file in a few seconds - it contains code that checks for a client certificate, and then authenticates using the certificate instead of a password.

Created attachment 58894 [details]
The mysql.php file used on my web server

*** Bug 334327 has been marked as a duplicate of this bug. ***

It's certainly more comfortable for those triaging (even if absolutely no harm could be done, which is not true, it is not fun to have your password stolen, no matter what it is used for), and I also agree with Andrew (mainly because I am not too much into restoring gigabytes from tape backups).

I will be looking into this soon, although I'll probably only set this up for the new bugzilla server, which should probably become the only one soon anyway.

Isn't this just about making the login form actions point at https instead of http at this point...?

Any news, guys?

oh well - log in works with https, so i'm happy :)

ANdre, can we close it then?

It still logs in over clear text when you use a log in form from over a http:// link. The only case where it is securely over SSL is when you knowingly make sure you log in from a https://bugzilla.gnome.org/* link - not reliable at all. For example you are given a bug link with http://, you just open it and shoot off another comment but you need to log in. You don't give a second thought and it will send the password clear on the wire.
What should happen is that login form action targets are always to secure https:// links - that they aren't still, so I consider this still a bug myself. If Andre doesn't, and this gets closed, I'll have to open a new one with basically the same subject.

SSL availability has regressed with the recent Bugzilla upgrade.

Re comment 10: my solution was to save my password in Firefox for https://bugzilla.gnome.org, and Firefox didn't auto-fill it on non-SSL pages.

*** This bug has been marked as a duplicate of bug 544234 ***

This is not a duplicate of bug 544234 as they are currently stated: that bug is about having a better certificate, and this one is about having SSL at all.  Max, if you want to combine them, please change bug 544234 to something like "Bugzilla should support SSL with a CA-signed certificate".

Done. :-)