Ubuntu

[FFE] Change from http to https and verify cert

Reported by Joshua Hoover on 2012-09-24
116
This bug affects 46 people
Affects Status Importance Assigned to Milestone
unity-lens-shopping
High
Michal Hruby
unity-lens-shopping (Ubuntu)
Critical
Unassigned
Quantal
Critical
Unassigned

Bug Description

The shopping lens is currently set to use http but the production instance of the server will enforce https. We need to switch to https and make sure we verify the certificate. Without this change all search queries will be sent over clear http.

Tags: ffe Edit Tag help
Stéphane Graber (stgraber) wrote :

Can you provide a diff/branch for this change?

By the description you give so far, it sounds like a bugfix to me more than a feature change.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) wrote :

Why did you open this bug and mark the already reported bug a duplicate of this?

Alan Pope ㋛ (popey) wrote :

@jeremy, Joshua wasn't aware of bug 1054677 when he created this one, I alerted him to the duplicate and suggested he set one as dupe of the other, either way round.

Joshua Hoover (joshuahoover) wrote :

Jeremy, Right, what popey said, plus we needed to follow the freeze exception process which requires a different description and some other things. I didn't want to hijack the other bug but I also wanted to make it clear that this bug addresses that one by marking it as a duplicate.

Iain Lane (laney) on 2012-09-26
Changed in unity-lens-shopping (Ubuntu):
status: Confirmed → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Iain Lane (laney) on 2012-09-26
Changed in unity-lens-shopping (Ubuntu Quantal):
milestone: none → ubuntu-12.10
Michal Hruby (mhr3) on 2012-09-26
Changed in unity-lens-shopping:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Michal Hruby (mhr3)
Melissa (abadidea) wrote :

I would like to Register My Concerns(tm) about the process here as a security researcher and occasional Ubuntu user. I don't mean to sound upset with anyone or accusatory, I just don't want to see this happen again next time around. I suspect that Ubuntu is only going to continue down the cloud integration path and it's critical to get this right.

It's great that it's already been agreed the plugin is changing to HTTPS, but the future revision where this would happen is referred to as the "production" server.

The server you currently have is live on the internet now. It is answering requests from the client software that is live on the download mirrors now. It's on real machines outside of the development lab.

**It's already in production.**

A web service on the open internet is quite a bit different from normal desktop software. Just calling it beta doesn't really make it okay make everything plaintext and plan to get around to it later. For that matter, there's also the TOS and the privacy policy which every web service should have. I don't see any of this info on http://productsearch.ubuntu.com/. Again, I understand it's beta but it's still live. (If the TOS/privacy policy is the same as some generic ubuntu.com one, it should still really be linked to from the subdomain - but I would like to see a specific privacy policy for each specific type of data exchange.)

It's okay if your first *internal* version of a web service has temporary, insecure rigging, but when it goes live on the internet it needs to already be /* FIXME: insecure */-free. As a security researcher who was worried about the implementation of your plugin, I should be looking over your source for bugs in your security code, because it can be very difficult to get that right on the first try - but instead I'm on bug tickets imploring you to make sure there is security code for me to check at all.

I am going to open another ticket about some other privacy problems more particular to this exact plugin. I just wanted to share these concerns about process for launching a web service integrated with the desktop.

Michal Hruby (mhr3) on 2012-09-27
Changed in unity-lens-shopping:
status: In Progress → Fix Committed
Scott Kitterman (kitterman) wrote :

FFe approved. Please land ASAP (today please).

Changed in unity-lens-shopping (Ubuntu Quantal):
status: Confirmed → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-lens-shopping - 6.0.0-0ubuntu2

---------------
unity-lens-shopping (6.0.0-0ubuntu2) quantal; urgency=low

  [ Łukasz 'sil2100' Zemczak ]
  * debian/control:
    - Added build-dependencies to libsoup2.4-dev and libsoup-gnome2.4-dev, as
      needed by the addition of secure connections

  [ Iain Lane ]
  * Cherry-pick upstream r22 to connect to the remote server using SSL (LP:
    #1055649)
 -- Iain Lane <email address hidden> Fri, 28 Sep 2012 18:01:02 +0100

Changed in unity-lens-shopping (Ubuntu Quantal):
status: Triaged → Fix Released
Michal Hruby (mhr3) on 2012-10-01
Changed in unity-lens-shopping:
status: Fix Committed → Fix Released
Changed in unity-lens-shopping:
milestone: none → 6.8.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers