Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2 Enable HTTPS on project web

open
nobody
Project-web/Developer-web
2014-03-20
2012-09-11
Robert Važan
No

Computing overhead of HTTPS is extremely low, especially when compared to PHP & MySQL. Configuration is easy. Only one wildcard certificate is needed for the whole sourceforge domain. So why not? You could have it up & running this evening.

Sourceforge encourages projects to migrate their hosted apps (e.g. WordPress or wiki) to project web space. All these apps come with administration interface that requires administrator to log in. Since project web doesn't support SSL, administration sessions go through unencrypted HTTP connections, which makes them vulnerable to trivial password/cookie sniffing attacks. This is particularly important on sourceforge where software is distributed to end users. Hijacking WordPress, for example, would allow the attacker to insert fake download links that would enable the attacker to infect thousands of other systems.

(ticket moved from site support section to feature requests)

Comment from Chris Tsai:

I would like to note that this is not quite so simple, there are other things to consider beyond just the technical feasibility.

Discussion

  • GodMod
    GodMod
    2012-09-16

    Would like to see this, too

     
  • Joost Kop
    Joost Kop
    2014-03-20

    I need this this for oauth2 verification of the xbmc-dropbox addon. Dropbox requires a https redirect URL...