Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

default config: api_service_url to use https #8235

Closed
thomaszbz opened this issue Jun 27, 2015 · 1 comment
Closed

default config: api_service_url to use https #8235

thomaszbz opened this issue Jun 27, 2015 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@thomaszbz
Copy link

Current download of piwik 13.x comes along with global.ini.php including

api_service_url = http://api.piwik.org

This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)

This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.

Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...

Users should be recommended to use https if they have overridden the global.ini.php default.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Jul 15, 2015
@mattab mattab added this to the Mid term milestone Jul 15, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@sgiehl
Copy link
Member

sgiehl commented Aug 12, 2024

This had meanwhile been fixed with #20231 in Matomo 5

@sgiehl sgiehl closed this as not planned Won't fix, can't repro, duplicate, stale Aug 12, 2024
@innocraft-automation innocraft-automation removed this from the Backlog (Help wanted) milestone Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants