Re: [Templates/Extensions] About end-users request to run sites under HTTPS
Am 01/26/2014 06:27 PM, schrieb jan i: On 26 January 2014 16:54, Andrea Pescettipesce...@apache.org wrote: On 23/01/2014 Roberto Galoppini wrote: Time by time we receive end-users' requests asking why extensions. and templates. don't run under HTTPS. If we want to, SourceForge would be happy to install such certificates. Thoughts? It would make sense to have HTTPS on both those sites. Infra managed all of this internally so I don't know any details, but we now have a certificate for *.openoffice.org that we are using on the wiki and forum. Of course, the difference is that wiki/forum are hosted internally, and I believe it's impossible, for security reasons, to make that same certificate available for extensions and templates, which are hosted externally. I suggest that we proceed as follows: if there is consensus that it is a good feature to have HTTPS on Extensions and Templates, we will contact Infra and ask what to do (maybe the project should create two separate certificates covering only extensions.openoffice.org and templates.openoffice.org and hand them over to SourceForge to apply them; but honestly I don't know). Wearing my infra hat: *.openoffice.org can only be used for services located on apache hosts, we cannot give the certificate to e.g. sourceforge. However it would be possible to make a https: page under www.openoffice.org located on apache servers, that list extensions from e.g. sourceforge, meaning the extensions themself can be located outside apache (download will be http:// but lookup is https://). When you click on the link to download the extension/template, wouldn't this force a message in the browser like You are requesting possibly unsecure data from a secure webpage? Do you really want to go on? If so, I don't think that this would be helpful. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
On 26/01/2014 jan i wrote: *.openoffice.org can only be used for services located on apache hosts, we cannot give the certificate to e.g. sourceforge. OK. So this is clear: the fact that we do have a *.openoffice.org certificate becomes irrelevant for this discussion since it cannot be used for externally hosted sites anyway. Good. However it would be possible to make a https: page under www.openoffice.org located on apache servers, that list extensions from e.g. sourceforge, meaning the extensions themself can be located outside apache (download will be http:// but lookup is https://). Besides the comment by Marcus, I think that here the idea is simply to be able (I see it from the user's point of view) to offer login and sessions over HTTPS at the same URL. So just like we moved http://wiki.openoffice.org - https://wiki.openoffice.org keeping it on the same server, the idea would be to move http://extensions.openoffice.org - https://extensions.openoffice.org but keeping it hosted where it is, not mirrored on the Apache servers. Now, would this need a specific certificate covering only extensions.openoffice.org that can be requested (by whom? Apache?) and then handed over to SourceForge? I have no idea if this is a feasible solution, cost, effort, security considerations... Maybe there are other examples of domains where the DNS zone is managed by Apache, but hosting is external and HTTPS is available. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
On 28 January 2014 23:41, Andrea Pescetti pesce...@apache.org wrote: On 26/01/2014 jan i wrote: *.openoffice.org can only be used for services located on apache hosts, we cannot give the certificate to e.g. sourceforge. OK. So this is clear: the fact that we do have a *.openoffice.orgcertificate becomes irrelevant for this discussion since it cannot be used for externally hosted sites anyway. Good. However it would be possible to make a https: page under www.openoffice.org located on apache servers, that list extensions from e.g. sourceforge, meaning the extensions themself can be located outside apache (download will be http:// but lookup is https://). Besides the comment by Marcus, I think that here the idea is simply to be able (I see it from the user's point of view) to offer login and sessions over HTTPS at the same URL. So just like we moved http://wiki.openoffice.org - https://wiki.openoffice.org keeping it on the same server, the idea would be to move http://extensions.openoffice.org - https://extensions.openoffice.org but keeping it hosted where it is, not mirrored on the Apache servers. Now, would this need a specific certificate covering only extensions.openoffice.org that can be requested (by whom? Apache?) and then handed over to SourceForge? I have no idea if this is a feasible solution, cost, effort, security considerations... Maybe there are other examples of domains where the DNS zone is managed by Apache, but hosting is external and HTTPS is available. we have wildcard certificate,so to my best knowledge we cannot in parallel have a specific certificate. DNS zone is not enough,the https endpoint need to be one of our proxy servers. Our proxy servers proxies the request to another (internal) url which do not have the openoffice certificate. This method would do the trix but all traffic would go through the proxy. Please remark this is not redirect so no ugly warning. rgds jan i Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
On 23/01/2014 Roberto Galoppini wrote: Time by time we receive end-users' requests asking why extensions. and templates. don't run under HTTPS. If we want to, SourceForge would be happy to install such certificates. Thoughts? It would make sense to have HTTPS on both those sites. Infra managed all of this internally so I don't know any details, but we now have a certificate for *.openoffice.org that we are using on the wiki and forum. Of course, the difference is that wiki/forum are hosted internally, and I believe it's impossible, for security reasons, to make that same certificate available for extensions and templates, which are hosted externally. I suggest that we proceed as follows: if there is consensus that it is a good feature to have HTTPS on Extensions and Templates, we will contact Infra and ask what to do (maybe the project should create two separate certificates covering only extensions.openoffice.org and templates.openoffice.org and hand them over to SourceForge to apply them; but honestly I don't know). Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
On 26 January 2014 16:54, Andrea Pescetti pesce...@apache.org wrote: On 23/01/2014 Roberto Galoppini wrote: Time by time we receive end-users' requests asking why extensions. and templates. don't run under HTTPS. If we want to, SourceForge would be happy to install such certificates. Thoughts? It would make sense to have HTTPS on both those sites. Infra managed all of this internally so I don't know any details, but we now have a certificate for *.openoffice.org that we are using on the wiki and forum. Of course, the difference is that wiki/forum are hosted internally, and I believe it's impossible, for security reasons, to make that same certificate available for extensions and templates, which are hosted externally. I suggest that we proceed as follows: if there is consensus that it is a good feature to have HTTPS on Extensions and Templates, we will contact Infra and ask what to do (maybe the project should create two separate certificates covering only extensions.openoffice.org and templates.openoffice.org and hand them over to SourceForge to apply them; but honestly I don't know). Wearing my infra hat: *.openoffice.org can only be used for services located on apache hosts, we cannot give the certificate to e.g. sourceforge. However it would be possible to make a https: page under www.openoffice.org located on apache servers, that list extensions from e.g. sourceforge, meaning the extensions themself can be located outside apache (download will be http:// but lookup is https://). I hope this helps in the discussion. rgds jan I. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org