Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracking code could use HTTPS when the Piwik server is configured to force SSL connections #7366

Closed
b-pfl opened this issue Mar 5, 2015 · 22 comments · Fixed by #12799
Closed
Assignees
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@b-pfl
Copy link

b-pfl commented Mar 5, 2015

Dear all,

I just noted that the auto-generate javascript / image tracking code seems to be incomplete for the server URL. The following code is generated and misses the protocol information (e.g., "https:" or http:"
in front of the URL string (e..g, during the definition of "u").

Is there a reason for this?

<!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//<url>";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<noscript><p><img src="//<url>?idsite=1" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->
@sgiehl
Copy link
Member

sgiehl commented Mar 5, 2015 via email

@pebosi
Copy link
Contributor

pebosi commented Mar 5, 2015

@b-pfl
Copy link
Author

b-pfl commented Mar 5, 2015

Thanks for clarification! First it did not work on my site but now it interestingly does.
Is there a chance to define that the autmatically generated script always links to the encrypted page? When I set force_ssl to 1 in config.ini.php requests to the web interface get redirected to https://. However, this does not affect the javascript / image code fragments generated in the backend...

@tsteur
Copy link
Member

tsteur commented Mar 5, 2015

See #7267 where we talked about a similar thing. We're getting this feedback quite often recently. 👍 for this

@mattab mattab changed the title Incomplete tracking code: http/https missing in front of URL string Tracking code could use HTTPS when the Piwik server is configured to force SSL connections Mar 5, 2015
@mattab
Copy link
Member

mattab commented Mar 5, 2015

I renamed issue in attempt to clarify the scope. I'm not 100% sure that we should make HTTPS tracking the default when force_ssl=1 because it could have some performance implications on Tracking API (for example we use force_ssl but we haven't tested performance implications if suddenly all tracking api requests would use HTTPS)

@tsteur
Copy link
Member

tsteur commented Mar 6, 2015

I think it is more about what users expect. When I set a force_ssl property to 1, then I would expect it is considered everywhere unless it is named something like force_ssl_in_ui

@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Apr 8, 2015
@mattab mattab added this to the Mid term milestone Apr 8, 2015
@tsteur
Copy link
Member

tsteur commented Apr 17, 2015

Also maybe interesting read The Protocol-relative URL technique is now an anti-pattern

@mattab
Copy link
Member

mattab commented May 15, 2015

in the forums, a user expected force_ssl to also force SSL connection to Tracking API on his websites: http://forum.piwik.org/read.php?2,126694

@mattab mattab modified the milestones: Short term, Mid term May 15, 2015
@Globulopolis
Copy link
Contributor

Provide to separate options to forse_ssl. First for UI(i mean when the user login into piwik admin page), second for tracker.

@mattab
Copy link
Member

mattab commented Jul 9, 2015

As part of this issue we should also check this FAQ:
http://piwik.org/faq/how-to/faq_91/#comments

This was reported in feedback:

Comment: I think this information is a bit misleading. I worried that setting force_ssl would also force redirects for the requests made by the tracking code. That's not what I want, because we're using a self signed certificate at the moment.
However turns out that's not the case.
The documentation here suggests ALL requests are redirected.

@mattab mattab added the Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. label Jul 9, 2015
@mattab
Copy link
Member

mattab commented Apr 28, 2016

See also: Google Analytics uses HSTS - maybe we could send this response header HSTS? https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

@Findus23
Copy link
Member

Findus23 commented Feb 14, 2017

In my opinion this is quite important.
My example use case: I am hosting a website on a cheap shared hosting (so no https possible), but piwik is on an own server (so only https, force_ssl=1 and all http requests are redirected to https)
But with the default (//-URL) all visitor data is transmitted unencrypted and (because of the redirect) again via https.

As a result

  • everything is transmitted twice
  • SSL is useless as everyone can intercept the first unencrypted request

HSTS would solve this (at least after the first request), but it also should work without it.

@tsteur
Copy link
Member

tsteur commented Feb 14, 2017

@Findus23 I have just updated https://plugins.piwik.org/ForceSSL to also force SSL in generated tracking code.

@Findus23
Copy link
Member

@tsteur That's great.

Maybe also suggest enabling force_ssl=1 and the ForceSSL while installing if the site is using HTTPS.

@tsteur
Copy link
Member

tsteur commented Feb 14, 2017

The plugin sets "force_ssl" automatically

@Findus23
Copy link
Member

@tsteur, I am still not sure if adding this feature to a plugin that only few people will use, solves this issue.

Because of this the majority of users will still send the private data of their users over unencrypted HTTP even though their Piwik-Server supports SSL and as a result they think "everything is secure" even though it isn't. (And I think the the use case of having piwik on a modern server with an SSL cert, but tracking an old legacy website, which only runs via HTTP, is quite common)

It shouldn't matter how the website is delivered, the tracking data should always be sent via the most secure way possible.

@tsteur
Copy link
Member

tsteur commented May 11, 2017

See #7366 (comment) it should be still forced in Piwik as well eventually IMO.

@Findus23
Copy link
Member

@tsteur, what comment do you mean? The link just links to this issue.

@tsteur
Copy link
Member

tsteur commented May 11, 2017

That's funny, link seems to not work. Meant my second comment.

@mattab mattab added the Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. label Jun 21, 2017
@mattab
Copy link
Member

mattab commented Dec 13, 2017

Solving this issue will actually solve real bugs, so increasing priority.
eg. some servers are setup to redirect all requests from HTTP to HTTPS (even the piwik.php tracking api request). this can cause errors like Failed to load http://look.anixa.tv/piwik.php: Redirect from 'http://look.anixa.tv/piwik.php' to 'https://X/piwik.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://Y' is therefore not allowed access. and in some cases, this causes the session recording and possible other features to fail.

@mattab mattab modified the milestones: Priority Backlog (Help wanted), 3.2.2 Dec 13, 2017
@mattab
Copy link
Member

mattab commented Dec 13, 2017

This issue is only about changing var u="//<url>"; to var u="https://<url>"; in the JS tracking code when force_ssl is enabled

@mattab mattab modified the milestones: 3.5.0, 3.4.1 Mar 26, 2018
@Findus23 Findus23 added the c: Privacy For issues that impact or improve the privacy. label Apr 18, 2018
@Findus23
Copy link
Member

In my opinion this change is required regarding GDPR as we can't protect user data data properly if we don't even know who read it before it hit the Matomo server.

I would even go as far and send a reminder to users to update their old tracking codes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants