[FFE] Change from http to https and verify cert

Can you provide a diff/branch for this change?

By the description you give so far, it sounds like a bugfix to me more than a feature change.

Status changed to 'Confirmed' because the bug affects multiple users.

Why did you open this bug and mark the already reported bug a duplicate of this?

@jeremy, Joshua wasn't aware of bug 1054677 when he created this one, I alerted him to the duplicate and suggested he set one as dupe of the other, either way round.

Jeremy, Right, what popey said, plus we needed to follow the freeze exception process which requires a different description and some other things. I didn't want to hijack the other bug but I also wanted to make it clear that this bug addresses that one by marking it as a duplicate.

Status changed to 'Confirmed' because the bug affects multiple users.

I would like to Register My Concerns(tm) about the process here as a security researcher and occasional Ubuntu user. I don't mean to sound upset with anyone or accusatory, I just don't want to see this happen again next time around. I suspect that Ubuntu is only going to continue down the cloud integration path and it's critical to get this right.

It's great that it's already been agreed the plugin is changing to HTTPS, but the future revision where this would happen is referred to as the "production" server.

The server you currently have is live on the internet now. It is answering requests from the client software that is live on the download mirrors now. It's on real machines outside of the development lab.

**It's already in production.**

A web service on the open internet is quite a bit different from normal desktop software. Just calling it beta doesn't really make it okay make everything plaintext and plan to get around to it later. For that matter, there's also the TOS and the privacy policy which every web service should have. I don't see any of this info on http://productsearch.ubuntu.com/. Again, I understand it's beta but it's still live. (If the TOS/privacy policy is the same as some generic ubuntu.com one, it should still really be linked to from the subdomain - but I would like to see a specific privacy policy for each specific type of data exchange.)

It's okay if your first *internal* version of a web service has temporary, insecure rigging, but when it goes live on the internet it needs to already be /* FIXME: insecure */-free. As a security researcher who was worried about the implementation of your plugin, I should be looking over your source for bugs in your security code, because it can be very difficult to get that right on the first try - but instead I'm on bug tickets imploring you to make sure there is security code for me to check at all.

I am going to open another ticket about some other privacy problems more particular to this exact plugin. I just wanted to share these concerns about process for launching a web service integrated with the desktop.

FFe approved. Please land ASAP (today please).

This bug was fixed in the package unity-lens-shopping - 6.0.0-0ubuntu2

---------------
unity-lens-shopping (6.0.0-0ubuntu2) quantal; urgency=low

  [ Łukasz 'sil2100' Zemczak ]
  * debian/control:
    - Added build-dependencies to libsoup2.4-dev and libsoup-gnome2.4-dev, as
      needed by the addition of secure connections

  [ Iain Lane ]
  * Cherry-pick upstream r22 to connect to the remote server using SSL (LP:
    #1055649)
 -- Iain Lane <email address hidden> Fri, 28 Sep 2012 18:01:02 +0100