GNOME Bugzilla – Bug 743449
Use HTTPS whenever possible
Last modified: 2015-01-27 18:01:00 UTC
Created attachment 295338 [details] [review] Use HTTPS whenever possible To avoid leaking (potentially uniquely identifiable) user data over plain text (be it search phrases, hashes of contact emails, etc etc), use HTTPS whenever possible. The attached patch switches the vimeo, youtube, gravatar, Jamendo, and lastfm plugins to use https. Unfortunately with lastfm we cannot completely avoid leaking the names of the albums the user has on their system because their CDN (where the plugin fetches the images from) serves a certificate only valid for something.something.akamai.net, so enabling HTTPS on that URL would fail. If we could somehow hardcode *.akamai.net as a valid CN for these URLs, then we could avoid leaking user data over plain text in this case too. Unfortunately, I don't see a way to do so in libsoup.
Review of attachment 295338 [details] [review]: Looks good, but could you make it one patch per-plugin (plugin + test when applicable)?
Created attachment 295396 [details] [review] gravatar: Use HTTPS Sure.
Created attachment 295397 [details] [review] jamendo: Use HTTPS
Created attachment 295398 [details] [review] vimeo: Use HTTPS
Created attachment 295399 [details] [review] youtube: Use HTTPS
Created attachment 295400 [details] [review] lastfm: Use HTTPS (partially) Done.
Now you're missing all the details you had in the original commit message.
Created attachment 295437 [details] [review] gravatar: Use HTTPS I thought it was obvious enough, but here we go, all the patches again with that line in each
Created attachment 295438 [details] [review] jamendo: Use HTTPS
Created attachment 295439 [details] [review] vimeo: Use HTTPS
Created attachment 295440 [details] [review] youtube: Use HTTPS
Created attachment 295441 [details] [review] lastfm: Use HTTPS (partially) Done.
All committed with fixed up commit messages