Re: HTTPS access to Bugzilla?

From: Gregory Leblanc <gleblanc linuxweasel com>
To: Derek Atkins <warlord MIT EDU>
Cc: bugsquad <gnome-bugsquad gnome org>
Subject: Re: HTTPS access to Bugzilla?
Date: 21 Jul 2002 23:27:12 -0700

<begin bad cop>

On Sun, 2002-07-21 at 14:46, Derek Atkins wrote:
> Luis Villa <louie ximian com> writes:
> 
> > And this is information they can't get from simply querying bugzilla
> > and/or using other vulnerabilities to get at your password how[1]?
> 
> That's not an attack that I'm worried about.

As Luis said, there aren't any other attacks that we care about against
Bugzilla.  It IS insecure, and you should be using a valueless password
for it.

> > You're being (IMHO) overly paranoid about something that just isn't that
> > important.
> 
> I'm being worried about passive eavesdropping, not active attacks.
> You may consider it paranoid, but every conference they put the
> collection of acquired passwords on the large screen in front of
> everybody.

Whoopie, so they've got your bugzilla password.  Sorry, but I fail to
see this as a concern, certainly not ours.  If you've got some sort of a
pattern to your passwords, and they can use that information to get some
other password of yours, then I submit that you've got bigger security
concerns than our bugzilla being insecure.

> I don't want to broadcast my password to anyone listening on the local
> network.  I'm not worried about them going out of their way to break
> Bugzilla to get my information; I'm worried about them reading it as
> it travels across the local (shared) network.

There is essentially no confidential information in Bugzilla, so if
somebody grabs all of the information that comes up when you load the
webpage, they're only getting information that's publicly available.

> > > I don't see how setting up https is much administrative overhead.  You
> > > only need to set it up once then never touch it again.
> > 
> > Because setting it up once is > 0, which is about how much time the
> > admins have.
> 
> As I said, I'm willing to help set it up.

Setting it up isn't the hard part.  We haven't got the spare horsepower
to devote to SSL/TLS at the moment.  Securing bugzilla is a lot more
demanding, and lower on my list of priorities than securing CVS, and
that hasn't even gotten done yet.  Sorry, but for the time being,
there's no HTTPS access to bugzilla.  If you're concerned that it will
fall off of our list of things to do, feel free to file a bug against it
in bugzilla.
	Greg
	(the bad cop who does loads of the gnome.org server work)

Follow-Ups:
- Re: HTTPS access to Bugzilla?
  - From: Rob Bradford
- Re: HTTPS access to Bugzilla?
  - From: Kjartan Maraas

References:
- HTTPS access to Bugzilla?
  - From: Derek Atkins
- Re: HTTPS access to Bugzilla?
  - From: Luis Villa
- Re: HTTPS access to Bugzilla?
  - From: Derek Atkins
- Re: HTTPS access to Bugzilla?
  - From: Luis Villa
- Re: HTTPS access to Bugzilla?
  - From: Derek Atkins
- Re: HTTPS access to Bugzilla?
  - From: Luis Villa
- Re: HTTPS access to Bugzilla?
  - From: Derek Atkins

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]