Bug 346292 - People get confused by the https version of developer.kde.org
Summary: People get confused by the https version of developer.kde.org
Alias: None
Product: www.kde.org
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Platform: Other Other
: NOR normal (vote)
Target Milestone: ---
Assignee: kde-www mailing-list
URL: https://developer.kde.org/~cfeck/port...
Depends on:
Reported: 2015-04-17 08:14 UTC by Ganton
Modified: 2018-10-23 15:42 UTC (History)
5 users (show)

See Also:
Latest Commit:
Version Fixed In:


Note You need to log in before you can comment on or make changes to this bug.
Description Ganton 2015-04-17 08:14:31 UTC
Dear Sirs:

The address used to check the KF5 Porting Status:
doesn't work. However, the address
works, so maybe the problem would be solved with a little change.


Moreover, if people use the  "HTTPS Everywhere" extension (developed by the EFF), when entering
as this extension sees that that address doesn't work, it tries to go to
but as that address leads people (maybe it shouldn't?) to 
doesn't exist, people get even more confused:

That could be solved if 
just worked.

Thank you for all the good work!

Reproducible: Always
Comment 1 Ben Cooksley 2015-04-17 16:05:13 UTC
I'm not sure what your browser is doing - https://developer.kde.org/ cannot work at all as the server hosting it does not listen for https traffic.

Something else is redirecting you, likely a defective browser addon - such as the EFF's HTTPS Everywhere module.
Comment 2 Ganton 2015-04-17 18:51:18 UTC
The point is, to avoid:
1) People seeing that
is not working.
2) Having only
with the insecurities of http.
3) The confusions of
4) The page
redirecting people to

worked, then this bug would be solved.
Comment 3 Luigi Toscano 2015-04-17 21:27:35 UTC
The interesting question here is: if developer.kde.org does not answer on https, why is the connection redirected to techbase.kde.org (and not for example on kde.org)? Ben, you know the structure, is there any special connection between developer and techbase?
If there are no connection, I would say that the extension shouldn't do magic redirections and inform the user or drop the connection...
Comment 4 Ben Cooksley 2015-04-18 04:57:10 UTC
Accessing http://developer.kde.org/ will get you redirected to https://techbase.kde.org/ as it is the successor to the original content of that domain. 

That doesn't explain why https://developer.kde.org/ (which doesn't work) would end up as a redirect to https://techbase.kde.org/ though unless someone decided to circumvent our lack of SSL on developer.kde.org and "add" a rule to extension(s) to make "SSL everywhere" work.

The extension is acting incorrectly in this case, so requests to fix it should be directed to it's developers.
Comment 5 Ganton 2015-04-18 07:43:41 UTC
The developers of the extension can change it, but that won't solve those main problems already stated in this bug report:

1) People seeing that 
is not working. 
2) Having only 
with the insecurities of http. 

If this bug was solved that would be better for everyone.
Comment 6 Albert Astals Cid 2015-04-18 19:40:10 UTC
How are you insecure by accessing     http://developer.kde.org/~cfeck/portingstatus.html 
Comment 7 Ganton 2015-04-19 09:38:05 UTC
"The main motivation for HTTPS is to provide authentication of the visited website and to protect the privacy and integrity of exchanged data". 

Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect. 
-- https://www.instantssl.com/ssl-certificate-products/https.html

For example, when Firefox users go to
they see a padlock icon, they can click on it, they know is really KDE who is informing them, they see a message saying that the connection is secure, etc. 

When users to go
well, first they see that it doesn't work, it puzzles them, "what is happening?", doesn't give them a good impresion about KDE, etc. Then they have to think about what they can do, if they finally think that then can try
they know that they ignore who is sending them the pages, they have to think "is this information protected by encription?", "it should?", "what if it isn't?", think about the risks, what can be happening, "the other KDE pages I visited didn't do this", etc.; that is solved if just 

When users see:
    1) A page like  
        that doesn't have any icon indicating a secure connection, its real author, etc.
    2) A page like
        that doesn't work.
they think that there is something wrong. That, and all the problems that have been written in this bug report, can be solved if just
Comment 8 Ben Cooksley 2015-04-19 22:40:40 UTC
The purpose and benefits of HTTPS aren't being debated here. There is simply no reason to deploy HTTPS support and the required certificates on the machine hosting developer.kde.org however. 

In all the links that have been publicly posted by Christoph at least, none of them contain https://. They are all http:// so I don't know who made them https://. Likely some defective browser plugin - in which case fixing the plugin is the best thing to do here - as we've no plans, at least not in the immediate future to add SSL support to developer.kde.org (as it is simply unnecessary, it doesn't really host anything anymore).
Comment 9 Ganton 2015-04-20 06:36:00 UTC
> The purpose and benefits of HTTPS aren't being debated here.

If someone has been reading there, he has seen

> There is simply no reason to deploy HTTPS support

As everyone can read:
- http://googlewebmastercentral.blogspot.com.es/2014/08/https-as-ranking-signal.html
- https://www.instantssl.com/ssl-certificate-products/https.html
- https://bugs.kde.org/show_bug.cgi?id=346292#c7
- [Put there your reference to a site about security]

Some users that care about security know what is authentication, some of them know what are "man in the middle" attacks,  encryption, etc. and use HTTPS consequently. Other users don't know all that but they know enough to use HTTPS regularly, as they have been advised by security-conscious websites. When users see a KDE page like
that doesn't have any icon indicating a secure connection, its real author, etc.; and when they see that
does not even work; that all causes a bad impression about KDE. KDE is a lot better than that!
Comment 10 Christoph Feck 2015-05-02 20:49:56 UTC
The link is not meant for users, they cannot do anything with this information. It is for developers getting an overview where porting help is needed.
Comment 11 Ganton 2015-05-03 19:25:42 UTC
That page shows a lot of information that can be used for several goals. For example, people use that page to see if a KDE software is stalling (or dying) or progressing, where is help needed, how the general KDE move to Qt5-KF5 is going, etc. This page is useful for people. 

For example, they talk about it in that page: 
and that page gives an introduction to what is happening, because that page is aimed to final users.

one user wrote
    "Can't wait for KDE5 as default for archlinux which will happen as soon as all applications are ported over.
So the question is: How many are left? [...]"
and he was answered
    "Here you go: http://developer.kde.org/~cfeck/portingstatus.html"
so that he could get informed.

By the way, thank you, KDE people, for keeping us informed!
Comment 12 Christoph Feck 2015-05-03 20:17:05 UTC
> they talk about it in that page

kdepepo == cfeck

The purpose of the blog was to motivate more developers to start porting. Having an overview of "how many already did it" clearly motivated other lesser known KDE application developers (e.g. Robby from Tellico fame etc.) to begin the porting efforts.

> because that page is aimed to final users

No, it isn't. It was motivated by Ömar's request finding information where porting help is needed, see http://lists-archives.com/kde-devel/32022-kf-port-progress.html

> as soon as all applications are ported over

There will be no "all". Many KDE developers already use a pure Qt5 system (in addition to some non-Qt applications), because they do not need all of them. Porting progress happens because either developers want their application as a Qt5 version, or other developers help porting, not because there is a schedule.
Comment 13 Ganton 2015-05-03 20:59:35 UTC
> > as soon as all applications are ported over 

> There will be no "all".  [...]

That's what that user wrote. Thank you, KDE people, for keeping us informed! developer.kde.org/~cfeck/portingstatus.html is useful!
Comment 14 Ganton 2015-05-08 09:48:02 UTC
Last week news have shown us new attacks and measures.

Speaking about the question that Albert Astals Cid made about HTTPS security, it's important to beware of another kind of unexpected automatic attacks that are used if e.g. HTTPS connections are not used:
    Websites are used effectively as a botnet because attackers are able to intercept and modify javascript sent via HTTP.
    HTTPS stops a lot of threats, even if you're a hobbyist; HTTPS ensures that an attacker can't just intercept your page and put there his javascript and a bunch of exploit kits.
and last week news about Mozilla:
    Mozilla Security Blog -- Deprecating non-secure HTTP
    Today we are announcing our intent to phase out non-secure HTTP. [...]
Comment 15 Nate Graham 2018-10-23 15:42:15 UTC
The URL in question no longer exists.