Switchboard Online Accounts Plug

Security: http scheme allowed for oauth account plugins.

Bug #1343093 reported by UserError on 2014-07-17

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Switchboard Online Accounts Plug	Confirmed	Critical	Unassigned	Switchboard Online Accounts Plug juno-beta1

Bug Description

Where possible shouldn't it be https only?

As we can currently set per provider if they are able to use http or https, we should evaluate which ones do support https and remove http support for them to add a little bit of extra security for your account.

See original description

Tags:

UserError (usererror) on 2014-07-17

summary:

- Security: http schemes allowed for oauth account plugins.
+ Security: http scheme allowed for oauth account plugins.

UserError (usererror) on 2014-07-17

information type:

Public → Public Security

Revision history for this message

Sergey "Shnatsel" Davidoff (shnatsel) wrote on 2014-07-17:

Depends. It should be HTTPS-only for Internet services, but most likely HTTP-only for networks with better transport security, such as Hyperboria.

So if you're going to force HTTPS (which is a good thing - protects against downgrading to HTTP, a-la SSLstrip), do it on a per-plugin basis.

Fabian Thoma (fabianthoma) on 2016-07-20

description:	updated
Changed in elementaryos:
status:	New → Confirmed
importance:	Undecided → Critical
affects:	elementaryos → switchboard-plug-onlineaccounts
Changed in switchboard-plug-onlineaccounts:
milestone:	none → loki-rc1

Danielle Foré (danrabbit) on 2016-07-20

Changed in switchboard-plug-onlineaccounts:
milestone:	loki-rc1 → loki+1-beta1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.