Hi janl. This makes a lot of sense, and it just needs some questions
answered before it can go into the confirmed wishlist:
1) If SSL is not installed, but somebody installs webapp foo, should we
then go ahead and allow it to be served via clear HTTP? SSL requires
some setup and possibly acquiring a 3rd party signed certificate,
whereas users inside a LAN may want to allow port 80 access.
2) How does a user specify that they want a service to be insecure? Its
entirely possible that a service is sitting behind an SSL accelerator
and so does not need port 443.
3) Should the apps, if they need protection, just mark themselves as
requiring ssl by having SSLRequireSSL in their default configuration?
Answer those in the bug description, and then we can change the status
to Confirmed.
Marking Incomplete pending answer to the 2 questions above. Setting
Importance to Wishlist.
** Changed in: apache2 (Ubuntu)
Status: New => Incomplete
** Changed in: apache2 (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
https://bugs.launchpad.net/bugs/695857
Title:
ssl protection not default for sensitive packages
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
