Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#47059 closed defect (bug) (worksforme)

Site Health: bogus warnings about need for SSL on localhost

Reported by: davidanderson's profile DavidAnderson Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: site-health
Focuses: Cc:

Description

Site Health Check will tell the user that his security would be improved with an SSL certificate, even on a development site on localhost (i.e. loopback networking interface).

MITM cannot be performed on a loopback interface (except by root, but root on either end has full access to the data before/after the application of SSL anyway), so this is a bogus warning that will ultimately only train users to believe that "Site Health Check's" information is only sometimes reliable, which will be counter-productive.

Attachments (2)

47059.patch (2.2 KB) - added by dkarfa 5 years ago.
If it is localhost or tld for .test or .local then it will pass the SSL test
47059.2.patch (1.5 KB) - added by dkarfa 5 years ago.
Kindly delete the old patch.

Download all attachments as: .zip

Change History (8)

#1 @Clorith
5 years ago

  • Keywords site-health added
  • Summary changed from Site Health Check: bogus warnings about need for SSL on localhost to Site Health: bogus warnings about need for SSL on localhost

#2 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 5.2.1

Moving to 5.2.1 for discussion.

#3 @tmdesigned
5 years ago

Well, "bogus warning" seems like a little bit of a stretch to me, since in most cases it is a valid, and important, warning.

For the sake of argument, I would suggest users advanced enough to be running a local development environment would likely understand this, and therefore would not be misled into thinking the tool is unreliable.

Besides, the check is still accurate in so far as they actually don't have an SSL, regardless of whether it's really a security concern in their specific environment. I wouldn't want to see language added like "...may..." or "...sometimes..." because that would mask the seriousness of having an SSL in almost every other case.

How much are local environments accounted for in other areas of core?

@dkarfa
5 years ago

If it is localhost or tld for .test or .local then it will pass the SSL test

@dkarfa
5 years ago

Kindly delete the old patch.

#4 @desrosj
5 years ago

  • Keywords 2nd-opinion close added

I am of the opinion that someone running a local development environment will most likely not be trying to resolve everything that is flagged in the Site Health section (if addressing suggestions at all).

That said, I think that this is still a valid thing to flag, even if the potential for an attack is very slim on a local development environment. Two of the more popular local development environments (VVV and Local) make it very easy to configure SSL certificates.

The test is also listed under the Recommended Improvements section, which IMO correctly sets the expectation for the suggestion to the user.

I think that this can be closed as wontfix, but I am marking this for a second opinion.

#5 @Clorith
5 years ago

  • Keywords 2nd-opinion close removed
  • Milestone 5.2.1 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I'm going to side with the other comments here, it's not really an incorrect warning, you are not using HTTPS.

It's very unlikely that you'll be trying to check your site health on a local development installation, and if you are, you likely know that you can skip that check if you wish to do so.

As @desrosj also mentions, most localhost tools have ways to set up self-signed certificates for testing, which would self-resolve this item.

I'll also add in that there's a management plugin you could use to turn off checks you find irrelevant in your test setup.

#6 @spacedmonkey
5 years ago

  • Component changed from Administration to Site Health
Note: See TracTickets for help on using tickets.