Move all subdomains of launchpad.net to HTTPS

Bug #1473092 reported by Bryan Quigley on 2015-07-09
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

If we have all of launchpad's subdomains served via HTTPS we can provide a higher level of security for the domain with the HSTS preload list.

The first task really would be to see if we can default all PPAs to https - 1473091

The following sites would need to be served HTTPS only:
blog.launchpad.net
ppa.launchpad.net

The following would need to have some tune-ups to the SSL config (to advertise HSTS, etc):
dev.launchpad.net

More on the preload list:
One added benefit once we get past a certain # of days (maybe 126, maybe 180) is that we can be preloaded as an HSTS site in Chrome and Firefox:
Chrome's post: http://www.chromium.org/sts
Firefox's: https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

A first part of this was tracked here - https://bugs.launchpad.net/launchpad/+bug/1315503

CVE References

William Grant (wgrant) wrote :

It's not quite that simple, as certain services must remain HTTP in their current implementation. Most notably, blog.launchpad.net runs on WordPress -- not a piece of software that is even approaching sufficiently trustworthy to be in the same security domain as Launchpad.

Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
tags: added: security
Bryan Quigley (bryanquigley) wrote :

@wgrant
So maybe blog.* should just be moved - perhaps under https://insights.ubuntu.com/?

For https://dev.launchpad.net/ and https://help.launchpad.net/ the needed fix I see is pretty simple, Change the CC Footer license from:
http://i.creativecommons.org/l/by/2.0/uk/80x15.png
to
https://licensebuttons.net/l/by/2.0/uk/80x15.png

It redirects automatically but causes an HTTPS warning error in both Chrome and Firefox because it uses HTTP first.

Peter Eckersley (pde-lists) wrote :

The fact that WordPress blogs are on subdomains of the same domain as Launchpad does create some concerns about cookie security and scoping, but shouldn't be affecting HSTS deployment.

Bryan Quigley (bryanquigley) wrote :

>but shouldn't be affecting HSTS deployment.
Indeed it doesn't - most of launchpad.net has HSTS, but we can't/don't want to get on the preload list unless we make sure everything under launchpad.net meets the requirements.

Given bugs like CVE-2016-1252 https://www.debian.org/security/2016/dsa-3733, I think it is now quite clear that Debian package archives should always use HTTPS. Right now, all of the Ubuntu repos are available via HTTPS using https://mirrors.kernel.org, among others. That leaves only PPAs on HTTP.

Alex N. (a-nox) wrote :

Please serve ppa.launchpad.net via https.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers