[Kolab-devel] http without s access to issues.kolab.org (bugzilla)

Bernhard Reiter bernhard at intevation.de
Fri Dec 2 14:33:12 CET 2011 

Am Friday, 2. December 2011 13:14:56 schrieb Jeroen van Meeuwen (Kolab 
Systems):
> On 2011-12-02 11:33, Bernhard Reiter wrote:

> > it seems that issues.kolab.org always switches to https when
> > requested as http. I know a couple of organisations where https is only 
> > allowed if the certificate is fully authorized by the firewall.
> > The current setting excludes people from looking at issues and
> > participating in our iniative.
> >
> > There are several possible solutions:
> > a) allow http
>
> At least pretending to be, but perhaps just being a security-concious
> individual, I'm inclined to refuse allowing plain-text logins, for all
> the obvious reasons, 

Any measure has good and bad sides. The possible thread scenarios 
on bugzilla accounts are limited. I don't think a secure channel is always 
necessary. Right now the issues.kolab.org setting also disallow just looking 
at issues over http. For looking at issues without login, 
I don't see an attack scenario which https would be effective for.
I think allowing http for the bugzilla is a good security choice.

> > b) pay the common-ca-in-browsers tax with a good ca.
> >
> > Half a solution would be to use Intevation's tiny CA, where we can
> > tell
> > organisations at least to import one proper root ca.
>
> The wildcard certificate that was given to us by Thomas Arendsen Hein
> is actually a *.kolab.org wildcard certificate signed by Intevation
> GmbH's CA.

Oh sorry, you are absolutely correct for issues.kolab.org. I was on the demo 
server which seems to be okay to be accessible via http. But it has a self 
signed certificate. I forgot the mention the other server.

As written before, using Intevation's CA is only half of a solution and some 
firewalls might not like the wildcard part. 
Cacert also is half a solution.

Best,
Bernhard

-- 
Managing Director + Owner: www.Intevation.net <- A Free Software Company
Kolabsys.com: Board Member          FSFE.org: Founding GA Member
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/devel/attachments/20111202/2371e8a0/attachment.sig>

More information about the devel mailing list