admin_url() returns https, but our users do not trust the certificate

OpenSCAP / website

Tracker for new OpenSCAP portal

2 stars 1 forks source link

admin_url() returns https, but our users do not trust the certificate #141

Closed isimluk closed 8 years ago

isimluk commented 8 years ago

Check-out http://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/

And try to enter your comment. Captcha does not show. Captcha wants to fetch image over https. However, firefox will not show that.

Note: If you have already trusted open-scap's self signed certificate, it will work. However, for a new comer it will not.

isimluk commented 8 years ago

Ok, there is a bigger problem to tackle. The WP provides a function admin_url. That function returns URL that either starts with https or http. We need to fix what this function returns. This function is used across the plugins and controllers.

https://codex.wordpress.org/Function_Reference/admin_url

lhorakov commented 8 years ago

screenshot from 2015-11-10 18-05-17

mpreisler commented 8 years ago

Lets disable comments before we get https cert which should be soon from what I have heard from letsencrypt.

Please avoid adding filters and more cruft into the theme if at all possible. Otherwise it will bite is in the future and the site will become un-maintainable.

EDIT: Clarification of the above: We want to run a stock Wordpress site with as few plugins as possible with NO changes to the source code of wordpress. If we really, really, REALLY have to we can make exceptions but we should really think hard about that. Otherwise we will get nightmares, been there done that!

lhorakov commented 8 years ago

Done

isimluk commented 8 years ago

Sorry about being blunt here. But what exactly has been "Done"?

Did we make admin_url() to return http version?

https://codex.wordpress.org/Function_Reference/admin_url

admin_url() function is used by multiple other parts of portal. Not only by capcha. I don't know what else is potentially exposed to users though.

lhorakov commented 8 years ago

That we will have https, but now we dont need any changes in admin_url(), we will use other type of comments on website. They don't need https.

mpreisler commented 8 years ago

I'd say this is wontfix, once we have TLS certs in place it becomes a feature that it returns https :-)

mpreisler commented 8 years ago

It's a feature now, we have trusted TLS 1.2 cert in place.

isimluk commented 8 years ago

Martin, to which issue I can refer to when looking into TLS 1.2 cert progress?

isimluk commented 8 years ago

Ah, I found it #133.