GNOME Bugzilla – Bug 544234
Bugzilla should re-enable SSL with a CA-signed SSL certificate
Last modified: 2009-09-10 12:10:37 UTC
https://bugzilla.gnome.org/ currently has a self-signed certificate. I can think of no reason why it shouldn't be using one signed by CACert.
I poked the sysadmins
Given that CAcert failed their audit (they're in the process of replacing their root keys to fix this), it isn't necessarily the best choice here. StartCom also offers zero cost certificates (http://cert.startcom.org/) and is trusted by Mozilla by default, so seems a better choice. Even if you don't think their CA inclusion policy is up to snuff, I'd trust a CA that passed more than one that failed.
also worth noting that godaddy, as much as i hate them, offer free certificates for open source projects: https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp you can also get $12 ssl certificates from rapidsslonline.com both are ~100% recognised
The new Bugzilla has no SSL certificate at all, so this would be really good. I suppose we could go with StartCom.
*** Bug 326501 has been marked as a duplicate of this bug. ***
*** Bug 592874 has been marked as a duplicate of this bug. ***
*** Bug 593226 has been marked as a duplicate of this bug. ***
Ping. Is anybody making any progress on this? In the short term: I'd rather have a self-signed cert so SSL encryption happens.
https://bugzilla.gnome.org no longer responds at all, which is a regression. Is this bug to blame?
I don't know about blame, but yes, SSL re-enablement following the August Bugzilla upgrade is being tracked here (having been merged in from bug 326501 comment 11, bug 592874, and bug 593226).
As far as I know, I am not capable of getting a signed SSL certificate, as I do not control the domain names or email addresses of GNOME. I have no idea who would be capable of doing it--probably somebody on the Infrastructure team. Once there is a signed cert, I am capable of installing it, no problem. I can also generate a cert and csr for anybody who needs one, for getting the cert signed.
Max, could you generate a self-signed cert and install it so HTTPS is possible, if not perfect? I think a lot of us care more about clear-text passwords than we do about a browser warning. Then, once someone on Infrastructure (or whomever) gets a cert, it can be replaced.
I can't use a self-signed certificate if you want most users to still be able and willing to access bugzilla.gnome.org, and (probably) if you want bug-buddy to keep working. Here's the problem: The current version of Bugzilla actually embeds its URL in a lot of places (for security reasons, sometimes). So when you submit the login form, you're always going to go to http even if you load the page via https. The solution to this is to make Bugzilla *enforce* SSL, which changes the URLs to be all https. This redirects every http request in Bugzilla to https, and also prevents the login cookies from being sent over HTTP connections. However, this means *all* access to Bugzilla will be over SSL. As bugzilla.gnome.org is a very popular Bugzilla, accessed by many less-clueful users, the scary SSL warning in modern browsers will scare them away if we have a self-signed cert. Also, various client applications may not function properly against a self-signed certificate (hard to say since a lot of them are using http now).
(In reply to comment #13) > the scary SSL warning in modern browsers will scare them away if we have > a self-signed cert. I understand your logic, and thank you for the clear explination of the issue with a temporary self-signed cert. I guess the only thing I want to say about that is that I suppose there is a *reason* for all those scary warnings. Until someone gets a real cert, all those users are at risk of having their simple, reused passwords stolen or falling for phishing schemes. (And I get more spam to my Gnome Bugzilla e-mail account than any other, so people are harvesting these e-mail addresses.) Like Max said before, can we get this assigned to someone in Gnome? Even if it's just someone who's responsible for finding the proper person to obtain a real cert, get the onus on someone to get this fixed or at least passed off to the next person in the chain.... This bug is too big of a security issue to let wallow for over a year!
We currently have a StartSSL signed cert and bkor is helping me install it.
Okay, Bugzilla now enforces SSL using a StartCom cert (which will be supported even by IE by the end of September or so), except for the bugbuddy interface, which is exempted from the SSL redirect.
FWIW, the current SSL cert will expire on September 9, 2010. So we'll need a new one before then. I imagine there's some sort of monitoring or warning system that could be set up for this.
Wahoo! Thanks Max! You rock! A big thanks to you and bkor!
(In reply to comment #17) > FWIW, the current SSL cert will expire on September 9, 2010. So we'll need a > new one before then. I imagine there's some sort of monitoring or warning > system that could be set up for this. StartCom sends a reminder at least two weeks and one week before expiry.
(In reply to comment #17) > FWIW, the current SSL cert will expire on September 9, 2010. So we'll need a > new one before then. I imagine there's some sort of monitoring or warning > system that could be set up for this. Firefox has a nice addon for that https://addons.mozilla.org/eu/firefox/addon/8717