350213 – Gerrit web ui must be served through SSL only

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 350213 - Gerrit web ui must be served through SSL only

Summary: Gerrit web ui must be served through SSL only

Status:	RESOLVED FIXED

Alias:	None

Product:	EGit
Classification:	Technology
Component:	UI (show other bugs)
Version:	1.0
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	283749
	Show dependency tree

Reported:	2011-06-24 02:19 EDT by Gunnar Wagenknecht
Modified:	2012-02-10 14:32 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gunnar Wagenknecht

2011-06-24 02:19:12 EDT

Currently, Gerrit at egit.eclipse.org allows to sign-in via HTTP. This sends passwords unencrypted over the wire. 

This is especially critical because the web ui provides access to a SSH key management facility for commits.

Comment 1 Mykola Nikishov

2012-02-10 14:32:56 EST

Gerrit instance moved to http://git.eclipse.org and works as expected:

mn@think:~$ curl --head --location http://git.eclipse.org/r/
HTTP/1.0 301 Moved Permanently
Date: Fri, 10 Feb 2012 19:27:39 GMT
Server: Apache
Location: https://git.eclipse.org/r/
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.0 localhost (squid/3.1.19)
Connection: keep-alive

HTTP/1.0 200 Connection established

HTTP/1.1 200 OK
Date: Fri, 10 Feb 2012 19:27:41 GMT
Expires: Tue, 01 Jan 1980 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/html;charset=UTF-8
Content-Length: 12556
X-NodeID: dev2
Vary: Accept-Encoding
Connection: close