post report/abuse should be https

Bug #691002 reported by Michael Vogt
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ratings and Reviews server
Fix Released
Low
Anthony Lenton

Bug Description

Because we use OAuth PLAINTEXT as the signature we need to submit reviews via https, otherwise people
may obtain the SSO token secrets from our requests via sniffing the wire/wlan trafic.

Tags: kb-task

Related branches

Revision history for this message
Anthony Lenton (elachuni) wrote :

I think this is both of a client-side issue and a deployment issue, but so far our code base doesn't depend on being served over http or https.

The client library should allow you to call certain methods over http but others over https. That is something piston-mini-client is missing, and then rnrclient. I've created bug #704885 for this.

One thing the server *could* do is check that each method is being served over http(s) as intended, and fail otherwise. We could provide two decorators (ensure_http and ensure_https) and apply them to each piston resource as needed.

I'd recommend a setting to disable these checks, so that the code can still be deployed on a server that doesn't respond to both schemes.

Changed in rnr-server:
status: New → Confirmed
importance: Undecided → Low
tags: added: kb-task
Changed in rnr-server:
assignee: nobody → Anthony Lenton (elachuni)
status: Confirmed → In Progress
Revision history for this message
ISD Branch Mangler (isd-branches-mangler) wrote :

Discussed with IS. Due to our deployment setup it doesn't make sense to enforce the scheme checks on the server as this is taken care of by the frontend servers.

Client-side fixes still make sense though.

Changed in rnr-server:
status: In Progress → Fix Committed
Changed in rnr-server:
milestone: none → 11.05
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.