Closed
Bug 58300
Opened 24 years ago
Closed 20 years ago
SSL for bugzilla
Categories
(mozilla.org Graveyard :: Server Operations, task, P3)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: BenB, Assigned: justdave)
References
Details
(Whiteboard: PLEASE READ comments 14, 16, and 27 before adding comments to this bug)
Please make bugzilla.mozilla.org available over SSL, i.e. make <https://bugzilla.mozilla.org> work. This is important to protect passwords, which in turn protect access to Mozilla vulnerability bugs.
Comment 1•24 years ago
|
||
This would require moving to Netscape Enterprise Server (we don't really support Apache... especially with SSL) which is OK with me but does anyone have time and energy to make bugzilla to work with it?
Comment 2•24 years ago
|
||
Risto: what do you mean about having the time and energy to make bugzilla work with it? Bugzilla doesn't have to do anything special, as we have no immediate plans to implement cert-auth, just to allow folks to use encrypted connections. The server does need to remain Apache, because most Bugzilla instances around the world use Apache, and we need to be using what our customers use so that we'll hit any problems that they do.
Comment 3•24 years ago
|
||
Apache don't support SSL out-of-the-box. I know it's possible to patch Apache to do SSL but AOL IC don't currently support apache. Ie. if you want SSL it has to be NES and my statement about energy was that does anyone want to configure bugzilla for NES?
Reporter | ||
Comment 4•24 years ago
|
||
Trying to stay polite...
> AOL IC don't currently support apache
dmose just gave a very good reason to use Apache. So, either AOL ICO changes its
policy or it is inappropriate for mozilla.org.
Comment 5•24 years ago
|
||
That might be a good reason for mozilla.org but it's not for AOL IC. mozilla.org is welcome to support Apache if they want that but we don't have resources to go with every possible exception some group comes up with.
Updated•24 years ago
|
Assignee: rko → nobody
Comment 6•24 years ago
|
||
Moving to nobody... Apache support is not in IC's radar.
Reporter | ||
Comment 7•24 years ago
|
||
Why can't mozilla.org maintain its own server, incl. software?
Keywords: helpwanted
Updated•23 years ago
|
Keywords: helpwanted
Whiteboard: AOL_IC_project
Comment 9•23 years ago
|
||
I was playing with apache 1.3.20 and mod_ssl 2.84 (with openssl 0.9.6 & php- 4.0.4) just for fun and my own entertainment (results available in https://www.kotalampi.com/). It works fine but I didn't take a look how you get real server certificates into it yet. Moving the ticket to Steve.
Assignee: rko → scbrown
Comment 10•23 years ago
|
||
At this time, we will not work on this issue. If it ever comes back as an active project to us through CRM we will certainly handle it.
Assignee: scbrown → nobody
Updated•23 years ago
|
Whiteboard: AOL_IC_project
Assignee | ||
Comment 11•21 years ago
|
||
MF has its own Ops and its own servers and modern versions of Apache that actually come with mod_ssl now. This could be a reality one of these days without too much trouble. Reassigning to default.
Assignee: nobody → endico
QA Contact: endico → myk
Assignee | ||
Comment 12•21 years ago
|
||
*if* this happens, I'll more than likely be the one to wind up doing it (if not me, probably Myk, but he's already QA). Taking.
Assignee: endico → justdave
Comment 13•21 years ago
|
||
*** Bug 209595 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 14•20 years ago
|
||
The *only* thing blocking this at this point is obtaining SSL certificates signed by a trusted CA. Everything else will "just work" at this point once the certificates are dropped in. Despot is already running on SSL-only, however, not many people use that, and those that do won't have a problem accepting a self-signed certificate. Something as public as Bugzilla needs a CA-signed cert.
Assignee | ||
Comment 15•20 years ago
|
||
*** Bug 251476 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 16•20 years ago
|
||
https://bugzilla.mozilla.org/ now works. It's using a self-signed cert though. Feel free to use it. I don't feel comfortable redirecting all traffic there until we have a real cert.
Comment 17•20 years ago
|
||
Great to hear, Dave. However, it may be overkill to send all traffic through SSL; I would imagine that the processor load could create a serious performance hit. The only critical parts are the password entry forms. So, I think this bug has two components: 1) Get bugzilla.mozilla.org a CA signed cert. 2) Make adjustments to bugzilla so that links to the password entry form https for the password entry form, and then back again. It might be sufficient to just configure the web server to redirect http://bugzilla.mozilla.org/query.cgi?GoAheadAndLogIn=1 to https://bugzilla.mozilla.org/query.cgi?GoAheadAndLogIn=1.
Comment 18•20 years ago
|
||
does the logincookie not have any sensitive information? (could be, I don't know how it works)
*** Bug 253116 has been marked as a duplicate of this bug. ***
Unless cookies are cryptographically protected, they would also need the protection provided by SSL. I don't know if current Bugzilla cookies are safe to be sent over http.
Assignee | ||
Comment 21•20 years ago
|
||
The login cookie only has a token in it, which is generated when you submit your password. So yes, it would in theory be possible to only do SSL when sending passwords. There's probably something to be said for having buglists and show_bug show up under SSL if they contain secured bugs however. And that's a little harder to detect outside of the Bugzilla application.
Assignee | ||
Comment 22•20 years ago
|
||
clarification: the token contained in your login cookie is also tied to your IP address (or to your class C subnet if you uncheck the box on the login page), and can only be used from within that IP space. If your IP changes to something outside that defined space, you are forced to log in again.
Comment 23•20 years ago
|
||
Bugzilla's servers do have SSL setup (just try https://bugzilla.mozilla.org)... the problem is that mod_redirect (or some other NES equivalent) should redirect http:// to https://
Comment 24•20 years ago
|
||
It's also useful to protect bug submissions and changes against attack.
Comment 25•20 years ago
|
||
There is more than one problem with the SSL. The cert used for https://bugzilla.mozilla.org is a self-signed one, making the site vulnerable to MITM. You need a cert that chains to a root trusted by Mozilla.
Comment 26•20 years ago
|
||
I just found this site: http://www.cacert.org/ Perhaps this could be an idea? eGroupWare uses this... just a thought. (In reply to comment #25) > There is more than one problem with the SSL. The cert used for > https://bugzilla.mozilla.org is a self-signed one, making the site vulnerable to > MITM. You need a cert that chains to a root trusted by Mozilla. > >
Assignee | ||
Comment 27•20 years ago
|
||
Julien / Mick : please read the existing comments. Comment 14 and comment 16 answer (most of) the questions you just asked. SSL certs from Thawte are in process. This will be live as soon as we get them. ALL of Bugzilla will get SSL. This is a big server, it can handle it. :) Bugzilla itself puts more strain on the server than the encrypt/decrypt process ever will.
Whiteboard: PLEASE READ comments 14 and 16 before adding comments to this bug
Assignee | ||
Updated•20 years ago
|
Whiteboard: PLEASE READ comments 14 and 16 before adding comments to this bug → PLEASE READ comments 14, 16, and 27 before adding comments to this bug
Assignee | ||
Comment 28•20 years ago
|
||
*** Bug 254684 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 29•20 years ago
|
||
*** Bug 252560 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 30•20 years ago
|
||
status update: We have our Thawte account verified finally, this is now just waiting for the paperwork to get done. Hopefully any day now.
Comment 31•20 years ago
|
||
Certs have been installed. Everyone redirected from http to https.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 32•20 years ago
|
||
When using a certain "well known" browser, a message containing the following warning is displayed when accessing bugzilla.mozilla.org : "The name on the security certificate is invalid or does not match the name of the site" and asks "Do you want to proceed?" with a default answer of "No". Manually inspecting the certificate shows it as being issued to (bugzilla|bonsai|tinderbox|despot|mecha).mozilla.org Presumably the certifying authority allows a regular expression for the hostname, but MSIE 6.0 does not?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 33•20 years ago
|
||
(In reply to comment #32) > Presumably the certifying authority allows a regular expression for the > hostname, but MSIE 6.0 does not? We've been running SSL on there as an option (not forcing it) for the last three months, and nobody noticed this before now? In fact, I could swear I remember someone specifically testing it on IE6 and saying it worked (they got the "not signed by a certifying authority you trust" warning because it was self-signed, but that was the only dialog).
Comment 34•20 years ago
|
||
(In reply to comment #33) > We've been running SSL on there as an option (not forcing it) for the > last three months, and nobody noticed this before now? That'd be with a different certificate though....... can't comment as I didn't see it. > In fact, I could swear I remember > someone specifically testing it on IE6 and saying it worked (they got the "not > signed by a certifying authority you trust" warning because it was > self-signed, but that was the only dialog). This would be the same dialog... it now starts with the first two items having green ticks by them: "The security certificate is from a trusted certifying authority." "The security certificate is valid." It does work, but you have to click-through the dialog which whines about a certificate that it thinks looks invalid (once you click "Yes" it then considers it valid for the entire session). All other secure sites I have seen require a different IP address for each hostname in order to present the correct cert. Incidentally, I note that at present this redirection is done even in this case: > telnet bugzilla.mozilla.org 80 GET / HTTP/1.0 Host: bugzilla.mozilla.org HTTP/1.1 301 Moved Permanently Date: Tue, 21 Sep 2004 16:24:50 GMT [....] Currently a google search for (e.g.) [ mozilla bug system ] returns bugzilla.mozilla.org as the top match. Presumably this will cease to be the case when google (and other search engines) see this 301 response. Similarly, would there be any instances where 3rd party sites or scripts request data from b.m.o (perhaps requesting buglists in CSV to be passed to an analysis script) that would be broken by getting this response instead of expected data? Admittedly this is desirable behaviour for any spambots that already learned the s/@/@/ trick, but seems undesirable for any other case. IMHO the redirection should be limited to cases where: a) The user is already logged in, or b) bugzilla wishes to request login details. In other cases the information is public by definition and I do not see why it would require SSL protection. Even when already logged in, REQUIRING https seems to me to be an overkill for most users (who do not have any privilege bits set) - it would be far easier for an attacker to just create their own account on b.m.o than to hijack an unprivileged user's account. "Always use SSL" could be a user pref, which policy dictates MUST be enabled for any user with bz_secure access. Arguably bugzilla should also use PGP on outgoing emails to such users too, but that would definitely be another bug!
Comment 35•20 years ago
|
||
A certificate with a subject name like (bugzilla|bonsai|tinderbox|despot|mecha).mozilla.org is a Netscape extension. The standard way is to leave the subject name empty and put the DNS names bugzilla.mozilla.org, bonsai.mozilla.org, tinderbox.mozilla.org, despot.mozilla.org, and mecha.mozilla.org in a subjectAltName extension. Note that only recent Mozilla-based browsers using NSS 3.5.1 or later support a subjectAltName extension of this form (https://bugzilla.mozilla.org/show_bug.cgi?id=103752). So old Netscape Communicator 4.x doesn't support it, but Mozilla 1.2 or later does.
Assignee | ||
Comment 36•20 years ago
|
||
(In reply to comment #34) > Currently a google search for (e.g.) [ mozilla bug system ] returns > bugzilla.mozilla.org as the top match. Presumably this will cease to be the > case when google (and other search engines) see this 301 response. That could be a good thing. There's a lot of people who link there that should be linking to www.bugzilla.org instead. > Similarly, would there be any instances where 3rd party sites or scripts > request data from b.m.o (perhaps requesting buglists in CSV to be passed to an > analysis script) that would be broken by getting this response instead of > expected data? Admittedly this is desirable behaviour for any spambots that > already learned the s/@/@/ trick, but seems undesirable for any other > case. Yeah, it already broke some of the ircbots, most of them have already been fixed. > IMHO the redirection should be limited to cases where: > a) The user is already logged in, or > b) bugzilla wishes to request login details. > > In other cases the information is public by definition and I do not see why it > would require SSL protection. The problem with this is it requires application-level support to do the redirecting back and forth between http and https, and Bugzilla doesn't support that yet. That's bug 260682.
Comment 37•20 years ago
|
||
Apologies for polluting this bug with a bunch of other issues (comment 34) - I'll take any valid points from that into other bugs in due course... However, the main point is that, as described in my comment 32 and explained in Comment #35 From Wan-Teh Chang, bugzilla.mozilla.org does not have a valid SSL certificate since it relies on a netscape extension that is not supported by other browsers. While it is only a minor annoyance to have to click past the security dialog each time the site is visited, I would suggest that anything which would train users to ignore a security warning is a bad idea. Since there is no secure information available to the vast majority of Bugzilla users, surely regular http access should be available at least until there is a VALID certificate available, in order to avoid training some users into bad habits?
Comment 38•20 years ago
|
||
This bug is fixed. Please file a new bug for the issue of support for the certificate in IE.
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
Comment 39•20 years ago
|
||
According to comment #35, the current certificate is using a non-standard extension. I would suggest that filing a bug against a third-party product for failing to support a non-standard extension has little merit. Rather, if a new bug is entered, it should be filed against the SSL certificate, to have it use the subjectAltName field.
Comment 40•20 years ago
|
||
> if a new bug is entered, it should be filed against the SSL certificate,
> to have it use the subjectAltName field.
Right.
Comment 41•20 years ago
|
||
If/when that new bug about the SSL cert is filed, somebody please cc me on that bug, and add a comment to this bug pointing to that one. I want to make sure mozilla avoids the usual mistake when first using subject alt names in a cert. Thanks.
Comment 42•20 years ago
|
||
(In reply to comment #41) > If/when that new bug about the SSL cert is filed, somebody please cc me > on that bug, and add a comment to this bug pointing to that one. Done - see bug 261900
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•