You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current download of piwik 13.x comes along with global.ini.php including
api_service_url = http://api.piwik.org
This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)
This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.
Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...
Users should be recommended to use https if they have overridden the global.ini.php default.
The text was updated successfully, but these errors were encountered:
mattab
added
the
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
label
Jul 15, 2015
Current download of piwik 13.x comes along with global.ini.php including
This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)
This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.
Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...
Users should be recommended to use https if they have overridden the global.ini.php default.
The text was updated successfully, but these errors were encountered: