ubuntu-website-content

Security notices aren't signed and website doesn't offer https

Bug #1385886 reported by Andreas Moog on 2014-10-26

268

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-website-content	In Progress	Wishlist	Unassigned

Bug Description

Hi there,

currently the Ubuntu security notices are only served by http, not by https (https://www.ubuntu.com/usn doesn't connect, https://usn.ubuntu.com produces a "No content" webpage).

Additionally the security notices on the site aren't signed (or at least I couldn't find a signed version on the web).

Both issues mean that there is no easy way to tell if the web information about USN's is accurate or has been forged by a MITM attack.

Andreas Moog (ampelbein) on 2014-10-26

information type:

Private Security → Public Security

Revision history for this message

Peter Mahnke (peterm-ubuntu) wrote on 2015-01-26:

Andreas

The Canonical IS team has agreed to do this work and it is in progress.

Peter

Changed in ubuntu-website-content:
status:	New → In Progress
importance:	Undecided → Medium
importance:	Medium → Wishlist

Revision history for this message

Matthew Paul Thomas (mpt) wrote on 2015-05-12:

I think this bug report is conflating two issues. They are very different in scope, and neither of them belong to the Canonical IS team.

Signing security notices is a process for the Ubuntu security team to set up. Microsoft and Apple do it, for example:
<https://technet.microsoft.com/en-us/security/dn753714>
<https://www.apple.com/support/security/pgp/>

Serving security notices over HTTPS is a separate problem. It would seem to require either (a) moving security notices to a separate Web site, or (b) switching the Ubuntu Web site as a whole to HTTPS. The latter is a good idea anyway (it would prevent attackers from MITMing the Ubuntu download page, for example!), but it would require much more than Canonical IS just getting a certificate and flipping a switch. Making the change without introducing security warnings would require checking all external resources used on www.ubuntu.com to ensure they are HTTPS versions, for example those on assets.ubuntu.com, yui.yahooapis.com, and www.youtube.com.

Revision history for this message

Anthony Dillon (ya-bo-ng) wrote on 2015-12-23:

Just an update on the two points in this bug.

We are planning to move security notices to https://usn.ubuntu.com. We will ensure that a secure connection is requested as part of this project.

The other part of this bug may have ran its course. We have discussed the possibility of providing HTTPS across Ubuntu.com with the IS team. There is a reluctance due to the large number of hits. That would require a lot of resource.

Anthony Dillon (ya-bo-ng) on 2015-12-23

information type:	Public Security → Public
information type:	Public → Private Security
information type:	Private Security → Public Security

Revision history for this message

Peter Mahnke (peterm-ubuntu) wrote on 2017-02-10:

An update.

The site is now https; however, the notices are not signed.

I will revert when I have more updates.

Peter

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.