Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use HTTPS by default for connections to matomo.org (with working fallback to HTTP requiring super user edit the INI config) #19081

Closed
justinvelluppillai opened this issue Apr 12, 2022 · 5 comments · Fixed by #19098
Closed

Use HTTPS by default for connections to matomo.org (with working fallback to HTTP requiring super user edit the INI config) #19081

justinvelluppillai opened this issue Apr 12, 2022 · 5 comments · Fixed by #19098
Assignees
@bx80
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone
5.0.0

Comments

@justinvelluppillai
Copy link
Contributor

justinvelluppillai commented Apr 12, 2022
edited by mattab

Remaining steps

Initial issue

This applies to all api.matomo.org and plugins.matomo.org calls.

  1. DONE First we add a new required system check showing to users if the connection over HTTPS works or not for these endpoints. If it doesn't work, then there should be an error shown explaining that we will soon switch to HTTPS by default. They should either make HTTPS work or disable HTTPS (see next item). We should mention the consequences of not fixing this issue (eventually won't receive any updates anymore big security issue for sure, and using HTTP is a minor security issue that someone could pretend there is no longer an update available)

  2. We introduce a setting to force HTTP instead of HTTPS as some people won't be able to change their PHP either because the hoster doesn't allow it or because they aren't technical enough etc.

  3. Create an FAQ about how to make HTTPS work or disable HTTPS and link to it in the system check error message in 1 above.
@justinvelluppillai justinvelluppillai added Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. labels Apr 12, 2022
@justinvelluppillai justinvelluppillai added this to the 4.10.0 milestone Apr 12, 2022
@peterhashair peterhashair mentioned this issue Apr 14, 2022
Merged
11 tasks
@sgiehl sgiehl modified the milestones: 4.10.0, 4.11.0 May 5, 2022
@justinvelluppillai
Copy link
Contributor Author

@peterhashair did number 3 get done also regarding creating or updating the FAQs? Be good to link to that in this issue for completeness when done.

@peterhashair
Copy link
Contributor

FAQ here: https://matomo.org/faq/faq-how-to-disab…omo-org-requests/

@peterhashair peterhashair reopened this Jul 14, 2022
@peterhashair
Copy link
Contributor

reopen this issue, as we discussed, not to force users to use HTTPS at this stage, only a warning message. In the next stage we will force HTTPS connections. Ref Here: https://github.com/matomo-org/matomo-security/issues/195

This was referenced Jul 14, 2022
Merged
Closed
@justinvelluppillai justinvelluppillai changed the title Requests to matomo.org should use HTTPS by default Notify that requests to matomo.org will soon use HTTPS by default Jul 25, 2022
@sgiehl
Copy link
Member

sgiehl commented Aug 1, 2022

removing from 4.11. milestone, as the remaining tasks will be solved in a later verion.

@sgiehl sgiehl modified the milestones: 4.11.0, For Prioritization Aug 1, 2022
@justinvelluppillai justinvelluppillai mentioned this issue Sep 15, 2022
Open
@mattab mattab modified the milestones: For Prioritization, Impact Backlog, 4.12.6 Nov 9, 2022
@justinvelluppillai justinvelluppillai modified the milestones: 4.12.6, 4.13.2 Nov 28, 2022
@justinvelluppillai justinvelluppillai modified the milestones: 4.13.2, 4.13.1 Dec 8, 2022
@peterhashair peterhashair removed their assignment Dec 21, 2022
@mattab mattab added the 4.13.1 label Jan 4, 2023
@mattab mattab modified the milestones: 4.13.1, 5.0.0 Jan 9, 2023
@mattab mattab changed the title Notify that requests to matomo.org will soon use HTTPS by default Use HTTPS by default for connections to matomo.org (with working fallback to HTTP requiring super user edit the INI config) Jan 9, 2023
@bx80 bx80 removed the 4.13.1 label Jan 18, 2023
@bx80 bx80 mentioned this issue Jan 18, 2023
Merged
11 tasks
@sgiehl sgiehl closed this as completed Jan 20, 2023
@MatomoForumNotifications
Copy link

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/plugins-matomo-org-over-https/52525/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bx80 bx80

Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Milestone
5.0.0
6 participants
@mattab @justinvelluppillai @sgiehl @peterhashair @bx80 @MatomoForumNotifications