[Pharo-users] Insecure issue tracker registration
tim at testit.works
Fri Jun 15 07:56:40 EDT 2018
I think Let’s Encrypt can be your friend (that seems to be the instructions all of the providers give - e.g. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04>).
Alternatively - and this applies more to Pharo.org - why not stick it on Netlify (https://www.netlify.com/docs/welcome/ <https://www.netlify.com/docs/welcome/>) which does https for you. I was amazed how much it does by checking your site off git and even offers some dynamic hooks too.
I am still sizing up porting my metalsmith generated site to something pillar based - but the concept is the same and depending on how you do things, it might be quite trivial.
> On 15 Jun 2018, at 10:15, Marcus Denker <marcus.denker at inria.fr> wrote:
> yes, we really need to setup SSL for that server. I will have a look next week.
>> On 13 Jun 2018, at 10:25, Manuel Leuenberger <leuenberger at inf.unibe.ch> wrote:
>> I announced my concerns on Discord already, but got no reaction, so I post it here as well to have it properly archived.
>> "A colleague just noticed that the registration for the issue tracker is HTTP-only. This is not an appropriate choice for sensitive data like a password. Any possibilities to make this HTTPS-only?
>> Link: http://tracker.pharo.org/issues-register-service, setting https:// manually does not work"
>> From my perspective this is a serious problem that should be quickly addressed, it's not just a nice to have feature. Not treating sensitive data with proper care leaves an image of not caring about user security and looks unprofessional. I don't think that is what Pharo needs.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pharo-users