Launchpad itself

Translation downloads should provide https link

Bug #1441416 reported by Olly Betts on 2015-04-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	High	Colin Watson

Bug Description

When I request a translation download, the link provided in the email to download the translations from is http://launchpadlibrarian.net/... - it would be better to use an https link here. Changing the http to https by hand works, so it's only the notification email which needs a change.

I asked about this on #launchpad, and wgrant said that "Those links are actually unsecured because people complained in like 2007 that HTTPS was slow" but "We're less likely to get backlash for security now".

A lot has changed in the last 8 years, and returned data which could allow an attack via C format specifiers in translated strings definitely seems worth protecting. Or at least offer a choice of links in the email so we don't have to modify them by hand to be get security.

Tags:

Related branches

~cjwatson/launchpad:po-export-https

Merged into launchpad:master

Thiago F. Pappacena (community): Approve on 2020-03-16

Revision history for this message

Hans-Christoph Steiner (eighthave) wrote on 2017-02-22:

I could see that in 2007, using HTTPS would be an annoyance, now its should be the default. Many major orgs are pushing that way, like EFF, Google, and more.

Revision history for this message

Olly Betts (ojwb) wrote on 2017-02-22:

Indeed, I very much doubt there would be complaints about https links for downloads of this nature these days - even less so today than ~2 years ago when I opened this bug.

I find it rather odd that people would have ever complained about it being slow in the case of translation download. The process to make a translation download from launchpad is that you have to log in to and navigate through an https website to click a button, then wait for launchpad to create the download and send you an email, which then needs to be delivered to you so you can fetch and open the email and finally download the file from the link in that email. Any time saving from making that a non-https link seems irrelevant compared to the time the rest of the process takes.

But if that's really still a concern, please just provide http and https links in the email so people are easily able to make the choice.

Revision history for this message

Olly Betts (ojwb) wrote on 2018-07-18:

Is there any obstacle to addressing this? The change seems both simple and safe, but more than three years later the notification mails still give an "http:" link and users who want to avoid a potential vector for MITM format string attacks need to copy+paste the URL and add an "s" themselves.

Revision history for this message

Olly Betts (ojwb) wrote on 2020-03-10:

I requested a translation download today, and found this is still unfixed.

Colin Watson (cjwatson) on 2020-03-10

tags:	added: email lp-translations trivial
Changed in launchpad:
assignee:	nobody → Colin Watson (cjwatson)
importance:	Undecided → High
status:	New → In Progress

Colin Watson (cjwatson) on 2020-03-27

Changed in launchpad:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.