php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #67680 news.php.net can't be access via HTTPS
Submitted: 2014-07-24 17:36 UTC Modified: 2023-06-23 14:06 UTC
Votes:4
Avg. Score:3.2 ± 1.1
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: yannick@php.net Assigned: mj (profile)
Status: Wont fix Package: Systems problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
 [2014-07-24 17:36 UTC] yannick@php.net 
Description:
------------
https://news.php.net don't point to http://news.php.net

Expected result:
----------------
https://news.php.net will be acceded via HTTPS

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-03 12:51 UTC] jacob@php.net
-Status: Open +Status: Verified
 [2015-01-03 12:51 UTC] jacob@php.net 
Would be great to get all the PHP.net family of sites accessible *only* over TLS however I am not sure of the infrastructure constraints here.
 [2015-01-05 23:55 UTC] aharvey@php.net
-Package: Website problem +Package: Systems problem
 [2017-08-08 11:30 UTC] php dot net at thermoman dot de 
Description
===========

news.php.net is running on port 80/http and delivering content that is submitted unencrypted over the public internet.

Impact
======

Having php.announce items containing PGP signatures and hashes transmitted via unencrypted channels a simple MITM attack is possible to alter contents on a news.php.net page and trick a visitor into downloading php source code releases from a thirdparty webserver and even supply the "correct" signature and hashes to the malicious source code archive.

Example
=======

Just visit http://news.php.net/php.announce/223 which will display URLs to download the source code from, hashes and PGP signatures.

Try to https://access news.php.net/ which results in "connection refused".
 [2019-05-20 14:13 UTC] petk@php.net 
Hello, bumping. Maybe 2019 is the year of https everywhere for PHP?
 [2021-09-10 11:01 UTC] cmb@php.net
-Assigned To: +Assigned To: mj
 [2021-09-10 11:01 UTC] cmb@php.net 
<https://news.php.net> is still unsupported.  Martin, could you
please have a look at this?
 [2023-06-23 14:06 UTC] mj@php.net
-Status: Verified +Status: Wont fix -Type: Bug +Type: Feature/Change Request
 [2023-06-23 14:06 UTC] mj@php.net 
news.php.net has been deprecated in favour of news-web.php.net and it actually redirects there. No real need for SSL anymore.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 23:01:28 2024 UTC