Kubuntu Website

Subpage https://kubuntu.org/getkubuntu/ shows mixed content warnings

Bug #1714446 reported by Hanno Böck
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kubuntu Website
Incomplete
Undecided
Unassigned

Bug Description

The page
https://kubuntu.org/getkubuntu/
gets a degraded security warning in browsers, because it contains mixed content (unprotected HTTP content within an HTTPS webpage).

The reason is a stylesheet included from google:
<link rel='stylesheet' id='google-fonts-style-css' href='http://fonts.googleapis.com/css?family=Oxygen%3A400%2C300%2C700&#038;ver=4.8.1' type='text/css' media='all' />

Google of course supports HTTPS, so this can be easily avoided. Change this to either an https url or a protocol relative url like this:
<link rel='stylesheet' id='google-fonts-style-css' href='//fonts.googleapis.com/css?family=Oxygen%3A400%2C300%2C700&#038;ver=4.8.1' type='text/css' media='all' />

A second http reference in the header is this:
 <link rel="profile" href="http://gmpg.org/xfn/11" />

This URL seems also be available over HTTPS, so you can also change it.

Revision history for this message
Clive Johnston (clivejo) wrote :

The same CSS and profile links are embedded in the "home page" and other pages as well, however these don't get a degraded security warning.

I'm pretty sure this is related more to the <form> calls to the insecure http://cdimage.ubuntu.com site. We will have to try and convince Canonical to install an SSL cert on cdimage.ubuntu.com so that we can use https in these form calls (they direct the visitor to the correct iso on cdimage.ubuntu.com)

Revision history for this message
Clive Johnston (clivejo) wrote :

I have temporarily removed the <form> elements and replaced them with linked buttons and it seems to resolve the issue.

It isn't a very pretty solution so would welcome any help in making it better / easier to navigate.

Revision history for this message
Hanno Böck (hanno-hboeck) wrote :

Ultimately the solution is to support https on cdimage.ubuntu.com.

Apart from that I'd still recommend changing the stylesheet and profile links, even though it turned out they weren't the cause of the warning here.

Revision history for this message
Clive Johnston (clivejo) wrote :

Unfortunately there are implications to enabling https support on cdimages.ubuntu.com. Many people use zsync and the use of https would stop that from working, plus the site is owned and operated by Canonical, so it is really up to them if they want to do it or not.

Yes, the links do ideally need to be changed, but will take time to complete as it seems to be coming from the theme (this needs FTP access which I don't have)

Revision history for this message
Aaron Honeycutt (aaronhoneycutt) wrote :

No update on the issue so closing.

Changed in kubuntu-website:
status: New → Invalid
status: Invalid → Incomplete
Revision history for this message
Hanno Böck (hanno-hboeck) wrote :

May I point out that the issue is not fixed?

The Google Fonts are still referenced via http. Now, these days, browsers tend to do a lot to auto-upgrade mixed content, so you won't see a warning, but still, this is wrong and should be fixed.

(FWIW, I'd actually recommend not using google fonts for performance and privacy reasons, but instead host the fonts on your own host.)

Revision history for this message
Aaron Honeycutt (aaronhoneycutt) wrote :

Since this was your statement on the issue:

"Ultimately the solution is to support https on cdimage.ubuntu.com."

We have no control of that website and it is not the Kubuntu website itself either way so this bug may not be correctly filed either way.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.