@peterhashair opened this Pull Request on July 14th 2022 Contributor

Description:

Fixes: #19081

Part 2: https://github.com/matomo-org/matomo/pull/19549

Update HTTPS security check, when the client is using HTTP just throw a warning on diagnostic

reopen this issue, as we discussed, not to force users to use HTTPS at this stage, only a warning message. In the next stage, we will force HTTPS connections. Ref Here: https://github.com/matomo-org/matomo-security/issues/195

Review

@justinvelluppillai commented on July 21st 2022 Member

@justinvelluppillai Do I understand it correct that the purpose of this PR is to show the user a warning if ssl is not supported to either enable ssl support or enable a config option, that currently would only display another warning?

I guess that is meant to avoid possible issues for users when switching to ssl later, but actually that would only have a big difference if we wait a certain amount of time until we switch to ssl. Otherwise, if it would be to quick, users might directly update to a version where ssl is used and may have never seen the warning before. Guess we would need to do that with Matomo 5 then, where, on the other side, this "breaking" change could be directly implemented, without any prior notice. 🤔

Yes that's right, we want to release this as stage 1 which will just warn that soon HTTPS will be default, and then we wait a few months before making it default. Even if we could make it default already in Matomo 5.0.0 we want to give users some warning first, so the change to make it default could be Matomo 5.0.0 or 5.1.0 or even later. Of course some users might still update multiple versions and not see the warning but we will still show a system check at that point to help them.

This Pull Request was closed on July 25th 2022
Powered by GitHub Issue Mirror