launchpad-doc team mailing list archive

[Launchpad Bug Tracker <488241@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Pages on the domains help.launchpad.net and dev.launchpad.net (for
example the main pages <URL:https://help.launchpad.net/> and
<URL:https://dev.launchpad.net/>) include a reference to the image
<URL:http://i.creativecommons.org/l/by/2.0/uk/80x15.png> each. This
image is served via HTTP, as you can see from the URI, so this results
in insecure content (sometimes this combination is called „mixed
content“) being served to the User Agent.

Either the image needs to be copied to the launchpad servers, and served
from there via HTTPS, or a HTTPS reference to a Creative Commons host
needs to be used. In the latter case, make sure to get in touch with the
people at creativecommons.org, because i.creativecommons.org uses the
certificate issued for api.creativecommons.org, and accessing
creativecommons.org via TLS (port 443, HTTPS) results in a security
warning for me. In the former case, I am not sure about the copyright
status of the CC badge (but it *should* be at least CC-licensed,
shouldn’t it? :-) ).

The problem may appear on other domains than help.launchpad.net and dev.launchpad.net as well, but as I do not have a list of all launchpad domains, I could not check. Someone should verify that please.
It does not appear on <URL:https://launchpad.net/> or <URL:https://edge.launchpad.net/>, though.

** Affects: launchpad-documentation
     Importance: Low
         Status: Triaged


** Tags: certificate https insecure mixed-content security tls x.509
-- 
Insecure content (CC license badge) on secure sites help.launchpad.net and dev.launchpad.net
https://bugs.edge.launchpad.net/bugs/488241
You received this bug notification because you are a member of Launchpad Documentation Team, which is subscribed to Launchpad Documentation.