Move all subdomains of to HTTPS

Bug #1473092 reported by Bryan Quigley on 2015-07-09
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Launchpad itself

Bug Description

If we have all of launchpad's subdomains served via HTTPS we can provide a higher level of security for the domain with the HSTS preload list.

The first task really would be to see if we can default all PPAs to https - 1473091

The following sites would need to be served HTTPS only:

The following would need to have some tune-ups to the SSL config (to advertise HSTS, etc):

More on the preload list:
One added benefit once we get past a certain # of days (maybe 126, maybe 180) is that we can be preloaded as an HSTS site in Chrome and Firefox:
Chrome's post:

A first part of this was tracked here -

CVE References

William Grant (wgrant) wrote :

It's not quite that simple, as certain services must remain HTTP in their current implementation. Most notably, runs on WordPress -- not a piece of software that is even approaching sufficiently trustworthy to be in the same security domain as Launchpad.

Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
tags: added: security
Bryan Quigley (bryanquigley) wrote :

So maybe blog.* should just be moved - perhaps under

For and the needed fix I see is pretty simple, Change the CC Footer license from:

It redirects automatically but causes an HTTPS warning error in both Chrome and Firefox because it uses HTTP first.

Peter Eckersley (pde-lists) wrote :

The fact that WordPress blogs are on subdomains of the same domain as Launchpad does create some concerns about cookie security and scoping, but shouldn't be affecting HSTS deployment.

Bryan Quigley (bryanquigley) wrote :

>but shouldn't be affecting HSTS deployment.
Indeed it doesn't - most of has HSTS, but we can't/don't want to get on the preload list unless we make sure everything under meets the requirements.

Given bugs like CVE-2016-1252, I think it is now quite clear that Debian package archives should always use HTTPS. Right now, all of the Ubuntu repos are available via HTTPS using, among others. That leaves only PPAs on HTTP.

Alex N. (a-nox) wrote :

Please serve via https.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers