PHP :: Request #67680 :: news.php.net can't be access via HTTPS

news.php.net can't be access via HTTPS

Submitted:

2014-07-24 17:36 UTC

Modified:

2023-06-23 14:06 UTC

Votes:	4
Avg. Score:	3.2 ± 1.1
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

yannick@php.net

Assigned:

mj (profile)

Status:

Wont fix

Package:

Systems problem

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yannick@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-07-24 17:36 UTC] yannick@php.net

Description:
------------
https://news.php.net don't point to http://news.php.net

Expected result:
----------------
https://news.php.net will be acceded via HTTPS

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-03 12:51 UTC] jacob@php.net

-Status: Open +Status: Verified

[2015-01-03 12:51 UTC] jacob@php.net

Would be great to get all the PHP.net family of sites accessible *only* over TLS however I am not sure of the infrastructure constraints here.

[2015-01-05 23:55 UTC] aharvey@php.net

-Package: Website problem +Package: Systems problem

[2017-08-08 11:30 UTC] php dot net at thermoman dot de

Description
===========

news.php.net is running on port 80/http and delivering content that is submitted unencrypted over the public internet.

Impact
======

Having php.announce items containing PGP signatures and hashes transmitted via unencrypted channels a simple MITM attack is possible to alter contents on a news.php.net page and trick a visitor into downloading php source code releases from a thirdparty webserver and even supply the "correct" signature and hashes to the malicious source code archive.

Example
=======

Just visit http://news.php.net/php.announce/223 which will display URLs to download the source code from, hashes and PGP signatures.

Try to https://access news.php.net/ which results in "connection refused".

[2019-05-20 14:13 UTC] petk@php.net

Hello, bumping. Maybe 2019 is the year of https everywhere for PHP?

[2021-09-10 11:01 UTC] cmb@php.net

-Assigned To: +Assigned To: mj

[2021-09-10 11:01 UTC] cmb@php.net

<https://news.php.net> is still unsupported.  Martin, could you
please have a look at this?

[2023-06-23 14:06 UTC] mj@php.net

-Status: Verified +Status: Wont fix -Type: Bug +Type: Feature/Change Request

[2023-06-23 14:06 UTC] mj@php.net

news.php.net has been deprecated in favour of news-web.php.net and it actually redirects there. No real need for SSL anymore.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jan 14 01:01:30 2025 UTC