1 |
On 03/07/2011 08:47 PM, Michał Górny wrote: |
2 |
> On Mon, 7 Mar 2011 15:48:19 +0100 |
3 |
> Tobias Klausmann <klausman@g.o> wrote: |
4 |
> |
5 |
>> On Mon, 07 Mar 2011, Mike Frysinger wrote: |
6 |
>>>>> If *anybody* can't use SSL for any reason please yell so that we |
7 |
>>>>> can decide if we leave it as it is (plain + encrypted) or not. |
8 |
>>>> |
9 |
>>>> Is there any *real* reason to force SSL? It is *hell* slow. |
10 |
>>> |
11 |
>>> it should of course be force for logging in |
12 |
>> |
13 |
>> If it is enforced for login, it should be enforced for logged |
14 |
>> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, |
15 |
>> restricting the login cookie to an IP is *not* "safe enough". |
16 |
> |
17 |
> Why does everyone assume it needs to be enforced? If user is interested |
18 |
> in protecting his/her data, he/she can simply use https://. If he/she |
19 |
> is not, there is no real reason to enforce slower (and not always |
20 |
> supported) SSL. |
21 |
> |
22 |
> It's like forcing everyone to have doors with semi-automatic locks. |
23 |
> |
24 |
|
25 |
*I* think it's ok if we're going to protect *our* data. Some user may |
26 |
even benefit from it. |
27 |
I don't see any disadvantages for our users. |
28 |
|
29 |
-- |
30 |
Regards, |
31 |
Christian Ruppert |
32 |
Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure |
33 |
member |
34 |
Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8 |