subject:"\[Python\-Dev\] HTTPS on bugs.python.org"

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-07 Thread INADA Naoki

Fixed.  Thanks to infra team.
http://psf.upfronthosting.co.za/roundup/meta/issue638

INADA Naoki  


On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner  wrote:
> Hi,
>
> When I go to http://bugs.python.org/ Firefox warns me that the form on
> the left to login (user, password) sends data in clear text (HTTP).
>
> Ok, I switch manually to HTTPS: add "s" in "http://; of the URL.
>
> I log in.
>
> I go to an issue using HTTPS like https://bugs.python.org/issue31250
>
> I modify an issue using the form and click on [Submit Changes] (or
> just press Enter): I'm back to HTTP. Truncated URL:
>
> http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
>
> Hum, again I switch manually to HTTPS by modifying the URL:
>
> https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
>
> I click on the "clear this message" link: oops, I'm back to the HTTP world...
>
> http://bugs.python.org/issue31250
>
> So, would it be possible to enforce HTTPS on the bug tracker?
>
> The best would be to always generate HTTPS urls and *maybe* redirect
> HTTP to HTTPS.
>
> Sorry, I don't know what are the best practices. For example, should
> we use HTTPS only cookies?
>
> Victor
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Oleg Broytman

On Fri, Sep 01, 2017 at 02:55:40PM -0400, Terry Reedy  wrote:
> On 9/1/2017 11:31 AM, Oleg Broytman wrote:
> >On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou 
> > wrote:
> >>On Fri, 1 Sep 2017 17:03:59 +0200
> >>Victor Stinner  wrote:
> >>>
> And by the way the problem goes away if you use the "HTTPS Everywhere"
> plugin for Firefox.
> >>>
> >>>Try for example this page:
> >>>
> >>>https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
> >>>
> >>>For me, the "clear this message" link is HTTP, not HTTPS:
> >>>
> >>>http://bugs.python.org/issue31234
> >>
> >>Sure, but if you click on this link, it will go to the HTTPS version
> >>nevertheless.
> >
> >It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
> 
> Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.

   I upgraded Fox and the extension. http://bugs.python.org now is
redirected to https://
   Thanks!

> >>Regards
> >>
> >>Antoine.
> >
> >Oleg.
> -- 
> Terry Jan Reedy

Oleg.
-- 
 Oleg Broytmanhttp://phdru.name/p...@phdru.name
   Programmers don't die, they just GOSUB without RETURN.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Terry Reedy


On 9/1/2017 11:31 AM, Oleg Broytman wrote:

On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou  
wrote:

On Fri, 1 Sep 2017 17:03:59 +0200
Victor Stinner  wrote:



And by the way the problem goes away if you use the "HTTPS Everywhere"
plugin for Firefox.


Try for example this page:

https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created

For me, the "clear this message" link is HTTP, not HTTPS:

http://bugs.python.org/issue31234


Sure, but if you click on this link, it will go to the HTTPS version
nevertheless.


It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.


Is fetches https: for me: 55.0.3, 2017.8.31, updated yesterday.


Regards

Antoine.


Oleg.




--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Oleg Broytman

On Fri, Sep 01, 2017 at 07:06:57PM +0200, Antoine Pitrou  
wrote:
> On Fri, 1 Sep 2017 17:31:00 +0200
> Oleg Broytman  wrote:
> 
> > On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou 
> >  wrote:
> > > On Fri, 1 Sep 2017 17:03:59 +0200
> > > Victor Stinner  wrote:  
> > > >   
> > > > > And by the way the problem goes away if you use the "HTTPS Everywhere"
> > > > > plugin for Firefox.
> > > > 
> > > > Try for example this page:
> > > > 
> > > > https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
> > > > 
> > > > For me, the "clear this message" link is HTTP, not HTTPS:
> > > > 
> > > > http://bugs.python.org/issue31234  
> > > 
> > > Sure, but if you click on this link, it will go to the HTTPS version
> > > nevertheless.  
> > 
> >It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.
> 
> That's surprising.  It's definitely part of the standard rules (enabled
> by default):
> https://www.eff.org/https-everywhere/atlas/domains/python.org.html
> 
> Perhaps you tweaked your configuration?

   Not for HTTPS Everywhere.

> Regards
> 
> Antoine.

Oleg.
-- 
 Oleg Broytmanhttp://phdru.name/p...@phdru.name
   Programmers don't die, they just GOSUB without RETURN.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Victor Stinner

2017-09-01 19:06 GMT+02:00 Antoine Pitrou :
> That's surprising.  It's definitely part of the standard rules (enabled
> by default):
> https://www.eff.org/https-everywhere/atlas/domains/python.org.html

Maybe the plugin is also broken, as my setup. Maybe it's related to
the recent "multiprocess" major change of Firefox?

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Antoine Pitrou

On Fri, 1 Sep 2017 17:31:00 +0200
Oleg Broytman  wrote:

> On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou 
>  wrote:
> > On Fri, 1 Sep 2017 17:03:59 +0200
> > Victor Stinner  wrote:  
> > >   
> > > > And by the way the problem goes away if you use the "HTTPS Everywhere"
> > > > plugin for Firefox.
> > > 
> > > Try for example this page:
> > > 
> > > https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
> > > 
> > > For me, the "clear this message" link is HTTP, not HTTPS:
> > > 
> > > http://bugs.python.org/issue31234  
> > 
> > Sure, but if you click on this link, it will go to the HTTPS version
> > nevertheless.  
> 
>It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.

That's surprising.  It's definitely part of the standard rules (enabled
by default):
https://www.eff.org/https-everywhere/atlas/domains/python.org.html

Perhaps you tweaked your configuration?

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread INADA Naoki

You're right.  It should be bpo configuration issue.

https://hg.python.org/tracker/roundup/file/bugs.python.org/roundup/cgi/client.py#l303
https://hg.python.org/tracker/python-dev/file/tip/config.ini.template#l118

I can't real config file used for bpo.
But maybe, tracker.web is 'http://bugs.python.org/' instead of
'https://bugs.python.org/'
INADA Naoki  


On Fri, Sep 1, 2017 at 10:29 PM, Antoine Pitrou  wrote:
> On Fri, 1 Sep 2017 22:15:29 +0900
> INADA Naoki  wrote:
>> FYI, there is issue report for it.
>> http://psf.upfronthosting.co.za/roundup/meta/issue463
>> INADA Naoki  
>
> That issue is about making the tracker HTTPS-only, but fixing
> internal links to point to the HTTPS site would already go a long way,
> even without switching off HTTP access.
>
> Regards
>
> Antoine.
>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Oleg Broytman

On Fri, Sep 01, 2017 at 05:27:59PM +0200, Antoine Pitrou  
wrote:
> On Fri, 1 Sep 2017 17:03:59 +0200
> Victor Stinner  wrote:
> > 
> > > And by the way the problem goes away if you use the "HTTPS Everywhere"
> > > plugin for Firefox.  
> > 
> > Try for example this page:
> > 
> > https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
> > 
> > For me, the "clear this message" link is HTTP, not HTTPS:
> > 
> > http://bugs.python.org/issue31234
> 
> Sure, but if you click on this link, it will go to the HTTPS version
> nevertheless.

   It doesn't for me. :-( FFox 55.0.1, HTTPS Everywhere 2017.8.15.

> Regards
> 
> Antoine.

Oleg.
-- 
 Oleg Broytmanhttp://phdru.name/p...@phdru.name
   Programmers don't die, they just GOSUB without RETURN.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Antoine Pitrou

On Fri, 1 Sep 2017 17:03:59 +0200
Victor Stinner  wrote:
> 
> > And by the way the problem goes away if you use the "HTTPS Everywhere"
> > plugin for Firefox.  
> 
> Try for example this page:
> 
> https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created
> 
> For me, the "clear this message" link is HTTP, not HTTPS:
> 
> http://bugs.python.org/issue31234

Sure, but if you click on this link, it will go to the HTTPS version
nevertheless.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Victor Stinner

2017-09-01 16:34 GMT+02:00 Antoine Pitrou :
> I'm using Firefox 55 on Ubuntu 16.04 and it works here.  You may be
> misunderstading what happens :-)

Maybe I misunderstood you when you wrote:

> And by the way the problem goes away if you use the "HTTPS Everywhere"
> plugin for Firefox.

Try for example this page:

https://bugs.python.org/issue31234?@ok_message=msg%20301118%20created

For me, the "clear this message" link is HTTP, not HTTPS:

http://bugs.python.org/issue31234

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Antoine Pitrou


Le 01/09/2017 à 16:32, Victor Stinner a écrit :
> 
> In short, it doesn't work :-)

I'm using Firefox 55 on Ubuntu 16.04 and it works here.  You may be
misunderstading what happens :-)

Regards

Antoine.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Victor Stinner

2017-09-01 15:36 GMT+02:00 Antoine Pitrou :
> And by the way the problem goes away if you use the "HTTPS Everywhere"
> plugin for Firefox.

I do have "HTTPS Everywhere" Firefox plugin version 2017.8.31 (so it
seems very recent), but it displayed as "obsolete" ("obsolète" in
french). I'm using Firefox 55 on Fedora 26. It seems like the plugin
has to be updated to use the new WebExtensions API.

https://www.eff.org/https-everywhere

https://github.com/EFForg/https-everywhere/issues/7389

"No. HTTPS Everywhere has already been migrated to WebExtensions.
We're unable to switch HTTPSE on Firefox over to WebExtensions until
Tor Browser rebases to FF 52 ESR, as I already stated: #7389
(comment)"

"Currently the main blocker to WebExtensions deployment on Firefox is
a secure signing mechanism for the self-hosted version. See #9958
(comment)"

In short, it doesn't work :-)

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Wes Turner

Here's e.g. Jupyter Notebook w/ letsencrypt in a Makefile:

https://github.com/jupyter/docker-stacks/blob/master/examples/make-deploy/letsencrypt.makefile

... https://github.com/jupyter/docker-stacks

On Fri, Sep 1, 2017 at 9:08 AM, Wes Turner  wrote:

>
> ## HTTP STS
> - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> - Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
> Strict-Transport-Security
>
> - https://https.cio.gov/hsts/
>
> ## letsencrypt
> "A free, automated, and open certificate authority."
>
> - Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt
> - Homepage: https://letsencrypt.org/
> - Src: https://github.com/letsencrypt
> - Docs: https://letsencrypt.readthedocs.io/en/latest/
> - Docs: https://letsencrypt.readthedocs.io/en/latest/using.html#getting-
> certificates-and-choosing-plugins
> - Docs: https://letsencrypt.readthedocs.io/en/latest/
> using.html#third-party-plugins
>
> ### ACME Protocol
> - Wikipedia: https://en.wikipedia.org/wiki/Automated_
> Certificate_Management_Environment
>
>
>
>
> On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya  > wrote:
>
>> I also would like the links from bug tracker emails be in https instead
>> of http.
>>
>>
>>
>> On Sep 1, 2017 6:31 AM, "Antoine Pitrou"  wrote:
>>
>>> On Fri, 1 Sep 2017 22:15:29 +0900
>>> INADA Naoki  wrote:
>>> > FYI, there is issue report for it.
>>> > http://psf.upfronthosting.co.za/roundup/meta/issue463
>>> > INADA Naoki  
>>>
>>> That issue is about making the tracker HTTPS-only, but fixing
>>> internal links to point to the HTTPS site would already go a long way,
>>> even without switching off HTTP access.
>>>
>>> Regards
>>>
>>> Antoine.
>>>
>>>
>>> ___
>>> Python-Dev mailing list
>>> Python-Dev@python.org
>>> https://mail.python.org/mailman/listinfo/python-dev
>>> Unsubscribe: https://mail.python.org/mailma
>>> n/options/python-dev/mariatta.wijaya%40gmail.com
>>>
>>
>> ___
>> Python-Dev mailing list
>> Python-Dev@python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.
>> turner%40gmail.com
>>
>>
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Terry Reedy


On 9/1/2017 9:36 AM, Antoine Pitrou wrote:


And by the way the problem goes away if you use the "HTTPS Everywhere"
plugin for Firefox.


Firefox has both 'extension' and 'plugin' add-ons.  "HTTPS Everywhere" 
is found under 'extensions'.  Works great.

On Fri, 1 Sep 2017 15:29:58 +0200
Antoine Pitrou  wrote:

On Fri, 1 Sep 2017 22:15:29 +0900
INADA Naoki  wrote:

FYI, there is issue report for it.
http://psf.upfronthosting.co.za/roundup/meta/issue463
INADA Naoki  


That issue is about making the tracker HTTPS-only, but fixing
internal links to point to the HTTPS site would already go a long way,
even without switching off HTTP access.


--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Wes Turner

## HTTP STS
- Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- Docs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

- https://https.cio.gov/hsts/

## letsencrypt
"A free, automated, and open certificate authority."

- Wikipedia: https://en.wikipedia.org/wiki/Let%27s_Encrypt
- Homepage: https://letsencrypt.org/
- Src: https://github.com/letsencrypt
- Docs: https://letsencrypt.readthedocs.io/en/latest/
- Docs:
https://letsencrypt.readthedocs.io/en/latest/using.html#getting-certificates-and-choosing-plugins
- Docs:
https://letsencrypt.readthedocs.io/en/latest/using.html#third-party-plugins

### ACME Protocol
- Wikipedia:
https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment




On Fri, Sep 1, 2017 at 8:35 AM, Mariatta Wijaya 
wrote:

> I also would like the links from bug tracker emails be in https instead of
> http.
>
>
>
> On Sep 1, 2017 6:31 AM, "Antoine Pitrou"  wrote:
>
>> On Fri, 1 Sep 2017 22:15:29 +0900
>> INADA Naoki  wrote:
>> > FYI, there is issue report for it.
>> > http://psf.upfronthosting.co.za/roundup/meta/issue463
>> > INADA Naoki  
>>
>> That issue is about making the tracker HTTPS-only, but fixing
>> internal links to point to the HTTPS site would already go a long way,
>> even without switching off HTTP access.
>>
>> Regards
>>
>> Antoine.
>>
>>
>> ___
>> Python-Dev mailing list
>> Python-Dev@python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: https://mail.python.org/mailman/options/python-dev/mariatta.
>> wijaya%40gmail.com
>>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/
> wes.turner%40gmail.com
>
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Mariatta Wijaya

I also would like the links from bug tracker emails be in https instead of
http.



On Sep 1, 2017 6:31 AM, "Antoine Pitrou"  wrote:

> On Fri, 1 Sep 2017 22:15:29 +0900
> INADA Naoki  wrote:
> > FYI, there is issue report for it.
> > http://psf.upfronthosting.co.za/roundup/meta/issue463
> > INADA Naoki  
>
> That issue is about making the tracker HTTPS-only, but fixing
> internal links to point to the HTTPS site would already go a long way,
> even without switching off HTTP access.
>
> Regards
>
> Antoine.
>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/
> mariatta.wijaya%40gmail.com
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Antoine Pitrou


And by the way the problem goes away if you use the "HTTPS Everywhere"
plugin for Firefox.

Regards

Antoine.


On Fri, 1 Sep 2017 15:29:58 +0200
Antoine Pitrou  wrote:
> On Fri, 1 Sep 2017 22:15:29 +0900
> INADA Naoki  wrote:
> > FYI, there is issue report for it.
> > http://psf.upfronthosting.co.za/roundup/meta/issue463
> > INADA Naoki    
> 
> That issue is about making the tracker HTTPS-only, but fixing
> internal links to point to the HTTPS site would already go a long way,
> even without switching off HTTP access.
> 
> Regards
> 
> Antoine.
> 
> 



___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Antoine Pitrou

On Fri, 1 Sep 2017 22:15:29 +0900
INADA Naoki  wrote:
> FYI, there is issue report for it.
> http://psf.upfronthosting.co.za/roundup/meta/issue463
> INADA Naoki  

That issue is about making the tracker HTTPS-only, but fixing
internal links to point to the HTTPS site would already go a long way,
even without switching off HTTP access.

Regards

Antoine.

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread INADA Naoki

FYI, there is issue report for it.
http://psf.upfronthosting.co.za/roundup/meta/issue463
INADA Naoki  


On Fri, Sep 1, 2017 at 9:57 PM, Victor Stinner  wrote:
> Hi,
>
> When I go to http://bugs.python.org/ Firefox warns me that the form on
> the left to login (user, password) sends data in clear text (HTTP).
>
> Ok, I switch manually to HTTPS: add "s" in "http://; of the URL.
>
> I log in.
>
> I go to an issue using HTTPS like https://bugs.python.org/issue31250
>
> I modify an issue using the form and click on [Submit Changes] (or
> just press Enter): I'm back to HTTP. Truncated URL:
>
> http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
>
> Hum, again I switch manually to HTTPS by modifying the URL:
>
> https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...
>
> I click on the "clear this message" link: oops, I'm back to the HTTP world...
>
> http://bugs.python.org/issue31250
>
> So, would it be possible to enforce HTTPS on the bug tracker?
>
> The best would be to always generate HTTPS urls and *maybe* redirect
> HTTP to HTTPS.
>
> Sorry, I don't know what are the best practices. For example, should
> we use HTTPS only cookies?
>
> Victor
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/songofacandy%40gmail.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] HTTPS on bugs.python.org

2017-09-01 Thread Victor Stinner

Hi,

When I go to http://bugs.python.org/ Firefox warns me that the form on
the left to login (user, password) sends data in clear text (HTTP).

Ok, I switch manually to HTTPS: add "s" in "http://; of the URL.

I log in.

I go to an issue using HTTPS like https://bugs.python.org/issue31250

I modify an issue using the form and click on [Submit Changes] (or
just press Enter): I'm back to HTTP. Truncated URL:

http://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...

Hum, again I switch manually to HTTPS by modifying the URL:

https://bugs.python.org/issue31250?@ok_message=msg%20301099%20created%...

I click on the "clear this message" link: oops, I'm back to the HTTP world...

http://bugs.python.org/issue31250

So, would it be possible to enforce HTTPS on the bug tracker?

The best would be to always generate HTTPS urls and *maybe* redirect
HTTP to HTTPS.

Sorry, I don't know what are the best practices. For example, should
we use HTTPS only cookies?

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

Re: [Python-Dev] HTTPS on bugs.python.org

[Python-Dev] HTTPS on bugs.python.org

20 matches

Site Navigation

Mail list logo

Footer information