| 1 |
On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote: |
| 2 |
> On Tue, 08 Mar 2011 16:41:08 +0200 |
| 3 |
> Antoni Grzyma??a <awaria@××××××××××.pl> wrote: |
| 4 |
> |
| 5 |
> > On Tue, 8 Mar 2011 15:26:34 +0100, Micha????? G????rny wrote: |
| 6 |
> > > On Mon, 07 Mar 2011 15:06:25 -0500 |
| 7 |
> > > Olivier Cr??te <tester@g.o> wrote: |
| 8 |
> > > |
| 9 |
> > >> On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote: |
| 10 |
> > >> > Why does everyone assume it needs to be enforced? If user is |
| 11 |
> > >> > interested in protecting his/her data, he/she can simply use |
| 12 |
> > >> > https://. If he/she is not, there is no real reason to enforce |
| 13 |
> > >> > slower (and not always supported) SSL. |
| 14 |
> > >> |
| 15 |
> > >> Maybe it's not to protect the user, but to protect the Gentoo |
| 16 |
> > >> infrastructure.. And really, SSL has been supported by every |
| 17 |
> > >> browser for the last 15 years. And it is not in any way slow or |
| 18 |
> > >> slower than non-SSL. |
| 19 |
> > > |
| 20 |
> > > If you really think you need to force all users to use SSL, thus |
| 21 |
> > > assuming they're unable to make their own decisions, why don't you |
| 22 |
> > > restrict bugzie access completely? |
| 23 |
> > |
| 24 |
> > You don't seem to (or pretend not to) understand that using SSL |
| 25 |
> > protects not *the user* (in which case, yes, a user is free to leave |
| 26 |
> > the door to *his own* house wide open), but the Gentoo infrastructure |
| 27 |
> > that is far from his own and that all of us are using. |
| 28 |
> |
| 29 |
> Please explain to me how not using SSL for a particular bugzie user is |
| 30 |
> going to hurt Gentoo infra. Even if we're talking about a dev, |
| 31 |
> and we're really assuming a dev is completely unaware of security |
| 32 |
> issues he/she's dealing with, I'd say power outage could cause more |
| 33 |
> damage. |
| 34 |
|
| 35 |
If you access a bug which a user marked private/for devs only, or some |
| 36 |
security bug, then the process of you viewing this information without |
| 37 |
SSL would disclose this information to anyone listening on your |
| 38 |
network. And disclosing your session cookie would allow anyone to find |
| 39 |
any such private data they _want_ to find rather than just the content |
| 40 |
you're viewing. Thus, by encrypting everything you are protecting |
| 41 |
Gentoo users' data which is posted as private on bugzilla because they |
| 42 |
trust that ``private'' actually means private. |
| 43 |
|
| 44 |
> > Besides, complaining about SSL being slow is absurd considering how |
| 45 |
> > mildly interactive and how low-traffic a typical bugzilla session is. |
| 46 |
> > You could do just fine over a 9600 bps modem. |
| 47 |
> |
| 48 |
> It is more absurd to waste 5 minutes trying to establish login session |
| 49 |
> due to packet loss. |
| 50 |
|
| 51 |
And if you have such a bad internet connection as you claim to have, |
| 52 |
then perhaps there's a higher chance of people trolling your packets |
| 53 |
anyways :-p. |
| 54 |
|
| 55 |
-- |
| 56 |
binki |
| 57 |
|
| 58 |
Look out for missing apostrophes! |
Archives