1 |
On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote: |
2 |
> On Tue, 08 Mar 2011 16:41:08 +0200 |
3 |
> Antoni Grzyma??a <awaria@××××××××××.pl> wrote: |
4 |
> |
5 |
> > On Tue, 8 Mar 2011 15:26:34 +0100, Micha????? G????rny wrote: |
6 |
> > > On Mon, 07 Mar 2011 15:06:25 -0500 |
7 |
> > > Olivier Cr??te <tester@g.o> wrote: |
8 |
> > > |
9 |
> > >> On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote: |
10 |
> > >> > Why does everyone assume it needs to be enforced? If user is |
11 |
> > >> > interested in protecting his/her data, he/she can simply use |
12 |
> > >> > https://. If he/she is not, there is no real reason to enforce |
13 |
> > >> > slower (and not always supported) SSL. |
14 |
> > >> |
15 |
> > >> Maybe it's not to protect the user, but to protect the Gentoo |
16 |
> > >> infrastructure.. And really, SSL has been supported by every |
17 |
> > >> browser for the last 15 years. And it is not in any way slow or |
18 |
> > >> slower than non-SSL. |
19 |
> > > |
20 |
> > > If you really think you need to force all users to use SSL, thus |
21 |
> > > assuming they're unable to make their own decisions, why don't you |
22 |
> > > restrict bugzie access completely? |
23 |
> > |
24 |
> > You don't seem to (or pretend not to) understand that using SSL |
25 |
> > protects not *the user* (in which case, yes, a user is free to leave |
26 |
> > the door to *his own* house wide open), but the Gentoo infrastructure |
27 |
> > that is far from his own and that all of us are using. |
28 |
> |
29 |
> Please explain to me how not using SSL for a particular bugzie user is |
30 |
> going to hurt Gentoo infra. Even if we're talking about a dev, |
31 |
> and we're really assuming a dev is completely unaware of security |
32 |
> issues he/she's dealing with, I'd say power outage could cause more |
33 |
> damage. |
34 |
|
35 |
If you access a bug which a user marked private/for devs only, or some |
36 |
security bug, then the process of you viewing this information without |
37 |
SSL would disclose this information to anyone listening on your |
38 |
network. And disclosing your session cookie would allow anyone to find |
39 |
any such private data they _want_ to find rather than just the content |
40 |
you're viewing. Thus, by encrypting everything you are protecting |
41 |
Gentoo users' data which is posted as private on bugzilla because they |
42 |
trust that ``private'' actually means private. |
43 |
|
44 |
> > Besides, complaining about SSL being slow is absurd considering how |
45 |
> > mildly interactive and how low-traffic a typical bugzilla session is. |
46 |
> > You could do just fine over a 9600 bps modem. |
47 |
> |
48 |
> It is more absurd to waste 5 minutes trying to establish login session |
49 |
> due to packet loss. |
50 |
|
51 |
And if you have such a bad internet connection as you claim to have, |
52 |
then perhaps there's a higher chance of people trolling your packets |
53 |
anyways :-p. |
54 |
|
55 |
-- |
56 |
binki |
57 |
|
58 |
Look out for missing apostrophes! |