Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New system check to Warn users if force_ssl is not yet enabled #7279

Closed
sirtet opened this issue Feb 23, 2015 · 12 comments · Fixed by #13193
Closed

New system check to Warn users if force_ssl is not yet enabled #7279

sirtet opened this issue Feb 23, 2015 · 12 comments · Fixed by #13193
Assignees
@sgiehl
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
3.6.0

Comments

@sirtet
Copy link

sirtet commented Feb 23, 2015

It seems that piwik does not automatically redirect to https.
Shouldn't that be done to increase safety? Protect the login credentials as well as all that sensitive user data...
@Globulopolis
Copy link
Contributor

Add force_ssl = 1 under [General] section of config.ini.php.

@mattab
Copy link
Member

mattab commented Feb 23, 2015

Explained in this faq

@mattab mattab closed this as completed Feb 23, 2015
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Feb 23, 2015
@sirtet
Copy link
Author

sirtet commented Feb 23, 2015

I see.
So, what's the reason that is not set by default?

@mattab
Copy link
Member

mattab commented Feb 23, 2015

many users don't have SSL on their servers unfortunately

@sgiehl
Copy link
Member

sgiehl commented Feb 23, 2015 via email

@sirtet
Copy link
Author

sirtet commented Feb 23, 2015

I understand that not everyone has SSL available.
That's why i titled if available.
The code to switch over IF AVAILABLE would be fairly easy i guess, looking at the gained security.

@mattab
Copy link
Member

mattab commented Feb 23, 2015

That's good point, reopening!

@mattab mattab reopened this Feb 23, 2015
@ThaDafinser
Copy link
Contributor

Current detection code is here: https://github.com/piwik/piwik/blob/master/core/FrontController.php#L516-L538

@sirtet how can you "detect" that, without performance lose?
Idea 1) Make a request with https and see if you have a valid response....
Idea 2) ???

@sirtet
Copy link
Author

sirtet commented Feb 25, 2015

how can you "detect" that, without performance lose?
No idea, i am not a coder, unfortunately.
I guess it needs to be detected only once, on install, and then force it.
Or are there any use-cases where someone explicitly wants to opt-out from security that is there, and use http instead of https?

@mattab
Copy link
Member

mattab commented Feb 25, 2015

The problem with detecting it once is that maybe it works today, but in 2 months the SSL will be broken. Redirecting to SSL would break Piwik in this case. But maybe it's acceptable for added security...

@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. and removed answered For when a question was asked and we referred to forum or answered it. labels Feb 25, 2015
@mattab mattab added this to the Mid term milestone Feb 25, 2015
@mattab
Copy link
Member

mattab commented Apr 28, 2016

See also the related issue: #7366 (comment)

@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab mattab changed the title Redirect to https if available New system check to Warn users if force_ssl is not yet enabled Dec 13, 2017
@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed Lower priority labels Dec 13, 2017
@mattab
Copy link
Member

mattab commented Dec 13, 2017

Instead of detecting and redirecting to SSL, we should rather add a new system check to issue a warning when force_ssl is not used, this will help users work to enable SSL on their Piwik server (updated ticket title)

@mattab mattab mentioned this issue Mar 27, 2018
Open
@mattab mattab mentioned this issue May 8, 2018
Closed
@sgiehl sgiehl self-assigned this Jul 22, 2018
@sgiehl sgiehl mentioned this issue Jul 22, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
3.6.0
Development

Successfully merging a pull request may close this issue.

Adds system check for forced SSL connection matomo-org/matomo
5 participants
@mattab @ThaDafinser @Globulopolis @sgiehl @sirtet