#2 Enable HTTPS on project web

implemented
nobody
Project-web/Developer-web
2016-11-30
2012-09-11
No

Computing overhead of HTTPS is extremely low, especially when compared to PHP & MySQL. Configuration is easy. Only one wildcard certificate is needed for the whole sourceforge domain. So why not? You could have it up & running this evening.

Sourceforge encourages projects to migrate their hosted apps (e.g. WordPress or wiki) to project web space. All these apps come with administration interface that requires administrator to log in. Since project web doesn't support SSL, administration sessions go through unencrypted HTTP connections, which makes them vulnerable to trivial password/cookie sniffing attacks. This is particularly important on sourceforge where software is distributed to end users. Hijacking WordPress, for example, would allow the attacker to insert fake download links that would enable the attacker to infect thousands of other systems.

(ticket moved from site support section to feature requests)

Comment from Chris Tsai:

I would like to note that this is not quite so simple, there are other things to consider beyond just the technical feasibility.

Related

Feature Requests: #513

Discussion

  • GodMod

    GodMod - 2012-09-16

    Would like to see this, too

     
  • Joost Kop

    Joost Kop - 2014-03-20

    I need this this for oauth2 verification of the xbmc-dropbox addon. Dropbox requires a https redirect URL...

     
  • MICHΔΣL

    MICHΔΣL - 2016-06-28

    I've built a coding playground and in order to my users to use Geolocation my application must be hosted over HTTPS. (Same Origin Policy

    I'd really like to see this integrated otherwise I will have to migrate my application's hosting provider.

     
    Last edit: MICHΔΣL 2016-06-28
  • Dave Brondsema

    Dave Brondsema - 2016-11-30
    • status: open --> implemented
     
  • konsolebox

    konsolebox - 2016-11-30

    TYVM!

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks