Hi janl. This makes a lot of sense, and it just needs some questions answered before it can go into the confirmed wishlist:
1) If SSL is not installed, but somebody installs webapp foo, should we then go ahead and allow it to be served via clear HTTP? SSL requires some setup and possibly acquiring a 3rd party signed certificate, whereas users inside a LAN may want to allow port 80 access. 2) How does a user specify that they want a service to be insecure? Its entirely possible that a service is sitting behind an SSL accelerator and so does not need port 443. 3) Should the apps, if they need protection, just mark themselves as requiring ssl by having SSLRequireSSL in their default configuration? Answer those in the bug description, and then we can change the status to Confirmed. Marking Incomplete pending answer to the 2 questions above. Setting Importance to Wishlist. ** Changed in: apache2 (Ubuntu) Status: New => Incomplete ** Changed in: apache2 (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/695857 Title: ssl protection not default for sensitive packages -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs