Launchpad itself

Move all subdomains of launchpad.net to HTTPS

Bug #1473092 reported by Bryan Quigley
290
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

If we have all of launchpad's subdomains served via HTTPS we can provide a higher level of security for the domain with the HSTS preload list.

The first task really would be to see if we can default all PPAs to https - 1473091

The following sites would need to be served HTTPS only:
blog.launchpad.net
ppa.launchpad.net

The following would need to have some tune-ups to the SSL config (to advertise HSTS, etc):
dev.launchpad.net

More on the preload list:
One added benefit once we get past a certain # of days (maybe 126, maybe 180) is that we can be preloaded as an HSTS site in Chrome and Firefox:
Chrome's post: http://www.chromium.org/sts
Firefox's: https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

A first part of this was tracked here - https://bugs.launchpad.net/launchpad/+bug/1315503

Tags: security

CVE References

Revision history for this message
William Grant (wgrant) wrote :

It's not quite that simple, as certain services must remain HTTP in their current implementation. Most notably, blog.launchpad.net runs on WordPress -- not a piece of software that is even approaching sufficiently trustworthy to be in the same security domain as Launchpad.

Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
tags: added: security
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

@wgrant
So maybe blog.* should just be moved - perhaps under https://insights.ubuntu.com/?

For https://dev.launchpad.net/ and https://help.launchpad.net/ the needed fix I see is pretty simple, Change the CC Footer license from:
http://i.creativecommons.org/l/by/2.0/uk/80x15.png
to
https://licensebuttons.net/l/by/2.0/uk/80x15.png

It redirects automatically but causes an HTTPS warning error in both Chrome and Firefox because it uses HTTP first.

Revision history for this message
Peter Eckersley (pde-lists) wrote :

The fact that WordPress blogs are on subdomains of the same domain as Launchpad does create some concerns about cookie security and scoping, but shouldn't be affecting HSTS deployment.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

>but shouldn't be affecting HSTS deployment.
Indeed it doesn't - most of launchpad.net has HSTS, but we can't/don't want to get on the preload list unless we make sure everything under launchpad.net meets the requirements.

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

Given bugs like CVE-2016-1252 https://www.debian.org/security/2016/dsa-3733, I think it is now quite clear that Debian package archives should always use HTTPS. Right now, all of the Ubuntu repos are available via HTTPS using https://mirrors.kernel.org, among others. That leaves only PPAs on HTTP.

Revision history for this message
Alex N. (a-nox) wrote :

Please serve ppa.launchpad.net via https.

Benjamin Allot (ballot)
no longer affects: altlinux
Colin Watson (cjwatson)
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.