@thomaszbz opened this Issue on June 27th 2015

Current download of piwik 13.x comes along with global.ini.php including

api_service_url = http://api.piwik.org

This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)

This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.

Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...

Users should be recommended to use https if they have overridden the global.ini.php default.

Powered by GitHub Issue Mirror