https://bz.apache.org/bugzilla/show_bug.cgi?id=58891
--- Comment #2 from Alexander Kjäll <alexander.kj...@gmail.com> --- Hi I agree that SSL is complex, and I don't think it's within the scope of the tomcat documentation to address all aspects of it, it can be very lengthy to describe how different attack vectors works for example. I feel that a good condensed version could be to give advise that doesn't expose users to security vulnerabilities. But the SSL "landscape" have change significantly since the original text was written and my personal opinion is that the text needs to be a bit updated so that it reflect how the world works today. Maybe we can break down the changes that I feel are important from a security perspective and talk about them point by point, I'm of course willing to rewrite the patch again to incorporate your feedback. 1) About self signed certs: This is pretty important, as the original text portrays scenarios where end users are presented with self signed certs. A self signed cert should never be presented to end users as this doesn't offer any protection against an attacker that does a man-in-the-middle attack. There is also no real reason to not get your certificate signed by a real CA now that Lets encrypt offers SSL/TLS certificates that are both free and automatable. 2) Mixing SSL and non-SSL pages. This advise is also important to remove, if people do SSL like this it's trivial to steal session cookies. With todays hardware it's also not that computable expensive to make sure all content is distributed over a secure channel. I feel that it adds value to say something about not mixing SSL/non-SSL content, but that could maybe be removed. 3) Information about HSTS. This isn't that important, it's more of a nice to have. 4) SNI information. This section could maybe be phrased differently? Maybe say something about the SSL limitation to one certificate per IP not being that important now that people use IPv6? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
