http://taiga.fedorainfracloud.org/ uses a login and therefore should be using https.
I guess it would need a new certificate. Would it be ok to start using letsencrypt for this?
Well, all the logins are via ipsilon/fedora openid... it doesn't do auth itself I don't think...
It will still use some kind of authentication cookie that can be used by others to access the system with the same privileges as an attacked user (given a man in the middle attacker). Also attackers could make it show a fake ipsilon login page that might not be noticed by users. So there is no good reason to not make it use https. What about letsencrypt?
We could use letsencrypt, but I would want it to be pretty automated. I don't want to have to manually grab a new cert every few weeks.
Replying to [comment:3 kevin]:
Yes, this is absolutely what letsencrypt is all about.
Anyone working on this right now?
Replying to [comment:5 aikidouke]:
I lack the time currently. If you would like to work on this, please go ahead.
This has now been resolved.
Login to comment on this ticket.