Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66161

Remove use of google.com and also make use of HTTPS url's or endpoint

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      Hey Team / Kohsuke Kawaguchi,

      I would like to propose enhancement or improvement on two underrated issues in Jenkins that I noticed while deploying in enterprise systems.

      1. Use of HTTP endpoints / URL and remove redirects - SecOps are concerned to allowlist HTTP URLs and redirects today in some enterprise, and it is impossible to scan the huge volume in short period of time if the implementation of Jenkins is critical or time sensitive. We need to change this so that it will be seamless to deploy without losing the market for other cloud vendors over time, since many senior management would go for managed servers than approving ( even temporarily for install or upgrade. Redirects are waste of time, increases response time.
      2. Use of google.com URLs or use of sites that are not under *.jenkins.io for plugin should be changed to something reliable or trustworthy - This is another red flag raised by SecOps and we need to remove use of google.com starting from checkConnectionURL() to anyplace it is not required. If it is really needed we may need to document it with what are the domain (full address) has to request to apply in allowed list on companies firewall on the cloud (applies to on prem too).

      Advantages

      1. Increase in upgrade - Most enterprise may be running on old version of Jenkins without upgrading because these  firewall restrictions on HTTP or google.com will cause implementation failure and hard to rollback.
      2. Builds more trust in Enterprise space - It will help Jenkins to be consumed by many enterprise and management would not think of other cloud options, due to this security issues.
      3. More web traffic to Jenkins.io - More hits to Jenkins.io website if we shift from using google.com and indirectly it may help SEO and many other digital marketing advantages.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Getting back to the previous comment by Tim Jacomb, there is one more oddity in this mess:

          Historically, Jenkins didn't download the update center JSON itself, a user's browser did and told Jenkins about it. The reason is that apparently, in the late 2000s, it wasn't common for services like Jenkins to connect out, so a bit of client-side JS did it for Jenkins. Downloading plugins was done from Jenkins though (so a restricted environment may know  there are plugin updates, but could not install them).

          In this environment, a separate connection test made sense. Perhaps that's kind of obsolete now, and we should have an admin monitor informing users their updated-daily update site metadata could not be downloaded instead? Then the connection test could just be removed, given that lack of internet access means there's no metadata. I think I have some work in progress locally somewhere, if I find it I'll open a PR for that.

          Show
          danielbeck Daniel Beck added a comment - Getting back to the previous comment by Tim Jacomb , there is one more oddity in this mess: Historically, Jenkins didn't download the update center JSON itself, a user's browser did and told Jenkins about it. The reason is that apparently, in the late 2000s, it wasn't common for services like Jenkins to connect out, so a bit of client-side JS did it for Jenkins. Downloading plugins was done from Jenkins though (so a restricted environment may know  there are plugin updates, but could not install them). In this environment, a separate connection test made sense. Perhaps that's kind of obsolete now, and we should have an admin monitor informing users their updated-daily update site metadata could not be downloaded instead? Then the connection test could just be removed, given that lack of internet access means there's no metadata. I think I have some work in progress locally somewhere, if I find it I'll open a PR for that.
          Hide
          prnam Pranam added a comment -

          Also, if you think from receiving end (google) it looks like they are having DDoS attack, not sure of the client install but if one is using via docker without persistence this could be bad for person who was experimenting stuff or developing and testing.

          OR it also can be that Jenkins in different way providing this signal to google of all new users connect at least once org or personal.. and contribute for their daily or yearly active users.

          I think there should be better mechanism for achieving what it was built for and if it’s obsolete then it will be nice if team includes fix in next release or have it on roadmap. I wish I could contribute but unfortunately I am not java developer.

          Show
          prnam Pranam added a comment - Also, if you think from receiving end (google) it looks like they are having DDoS attack, not sure of the client install but if one is using via docker without persistence this could be bad for person who was experimenting stuff or developing and testing. OR it also can be that Jenkins in different way providing this signal to google of all new users connect at least once org or personal.. and contribute for their daily or yearly active users. I think there should be better mechanism for achieving what it was built for and if it’s obsolete then it will be nice if team includes fix in next release or have it on roadmap. I wish I could contribute but unfortunately I am not java developer.
          Hide
          prnam Pranam added a comment -

          Correct, we send a single request and expect a success response of which we only check the status code. No cookies etc are stored etc., this isn't happening in a browser.

          We are assuming best case here.. even if Jenkins is not hitting service on http on google or storing them; there are so many other cookies and trackers on machine of some individual may be giving way to do so many different commercial benefits; may be the same commercial company that does what Jenkins does will be notified about the traffic and interest of this particular individual or company on using this Jenkins may be interested in using your product and persuade with different marketing strategy to convert current jenkins user to possible customer for their platforms.

          Show
          prnam Pranam added a comment - Correct, we send a single request and expect a success response of which we only check the status code. No cookies etc are stored etc., this isn't happening in a browser. We are assuming best case here.. even if Jenkins is not hitting service on http on google or storing them; there are so many other cookies and trackers on machine of some individual may be giving way to do so many different commercial benefits; may be the same commercial company that does what Jenkins does will be notified about the traffic and interest of this particular individual or company on using this Jenkins may be interested in using your product and persuade with different marketing strategy to convert current jenkins user to possible customer for their platforms.
          Hide
          kon Kalle Niemitalo added a comment -

          Pranam can you get a network packet capture and check whether the HTTP request indicates in any way that it is sent by Jenkins?

          Show
          kon Kalle Niemitalo added a comment - Pranam can you get a network packet capture and check whether the HTTP request indicates in any way that it is sent by Jenkins?
          Hide
          danielbeck Daniel Beck added a comment - - edited

          cookies and trackers on machine

          That's not how any of this works. They get an IP address. Depending on Jenkins version and configuration they may also get a "Jenkins" user agent. But no "cookies and trackers".

          Show
          danielbeck Daniel Beck added a comment - - edited cookies and trackers on machine That's not how any of this works. They get an IP address. Depending on Jenkins version and configuration they may also get a "Jenkins" user agent. But no "cookies and trackers".

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            prnam Pranam
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: