| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 03/07/2011 09:48 AM, Tobias Klausmann wrote: |
| 5 |
> Hi! |
| 6 |
> |
| 7 |
> On Mon, 07 Mar 2011, Mike Frysinger wrote: |
| 8 |
>>>> If *anybody* can't use SSL for any reason please yell so that we can |
| 9 |
>>>> decide if we leave it as it is (plain + encrypted) or not. |
| 10 |
>>> |
| 11 |
>>> Is there any *real* reason to force SSL? It is *hell* slow. |
| 12 |
>> |
| 13 |
>> it should of course be force for logging in |
| 14 |
> |
| 15 |
> If it is enforced for login, it should be enforced for logged |
| 16 |
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, |
| 17 |
> restricting the login cookie to an IP is *not* "safe enough". |
| 18 |
> |
| 19 |
> Regards, |
| 20 |
> Tobias |
| 21 |
> |
| 22 |
|
| 23 |
First off, a big thanks to infra and all involved in the migration. It |
| 24 |
looks awesome! |
| 25 |
|
| 26 |
As to the SSL bit, there is *no* reason not to be using SSL for anything |
| 27 |
that requires a username / password. And I 100% agree with Tobias. If |
| 28 |
it's necessary to use SSL to login, it's necessary to use it for the |
| 29 |
duration of the session. I don't know how feasible it is to do, but if |
| 30 |
normal viewing (no login) can be left SSL free, I see no issue there. |
| 31 |
Otherwise however, SSL should be in use. |
| 32 |
|
| 33 |
Regards, |
| 34 |
- -- |
| 35 |
Dane Smith (c1pher) |
| 36 |
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 |
| 37 |
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index |
| 38 |
-----BEGIN PGP SIGNATURE----- |
| 39 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 40 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 41 |
|
| 42 |
iQIcBAEBAgAGBQJNdPDCAAoJEEsurZwMLhUxFtUP/istnBrfWjaj8SoHmweB5Uh8 |
| 43 |
Fblpar2tWVqqSORPV0fkXnYogXK8EbSl4eQDo6Q5LZt4OUzP2T4rLOrrexaxL2s/ |
| 44 |
GzKYHeoEsUKAfkZa5W3bmL8ZaL0ueYFqM/ucx1r9iGEqEOIr33G3eaR3AlaovmjV |
| 45 |
Qw/r0McPFJDxqZz+79Xl/sFTFJaDHebEKiYT9Y40m3+6Ha4EqWcZ5DLX41/kfE77 |
| 46 |
Du+hCdf5J3E29vED3qtY5FBrmzG4ILBPCXbYxW8IMbpizQAzj7XzH8ZxjA9OvPOJ |
| 47 |
S0kxrjQR9oFodiPETYf/vOpsHlp/D3+HECRo4Qa1OJBdkb70ci+5XHoY3GvdAKUe |
| 48 |
MN3jCf94CSxlCyJcngWoyiu9j93l2Z3ctjq3cHo1dH4ETo686jyKFm4xBBkm4UrF |
| 49 |
Co6c/pkX+78m2Py4hcWml+X2reYMurTC0dRG42YCW3dXRMJha6OZKIKXTf19FakL |
| 50 |
bEd0adIK99t+N3i63yKIsd9p5SrU0H2ysJtX2wNyUVMAYnAad7gn7SGCKCytmvAo |
| 51 |
4R8to3O7DitfIXAAz78Zj5vwa9VIbPu8dCTV0zo2XHE5EOXfu87YMQYKQQU1KwXK |
| 52 |
9Rx0ZLys+vQCJL1EhezXBRcG39ksVHI1/hytD3LMTeRRXeQLJUrE3LK64mxtEARH |
| 53 |
f7uLbv3dNgsjbhIM7jfQ |
| 54 |
=CxR9 |
| 55 |
-----END PGP SIGNATURE----- |
Archives