-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/07/2011 09:48 AM, Tobias Klausmann wrote: > Hi! > > On Mon, 07 Mar 2011, Mike Frysinger wrote: >>>> If *anybody* can't use SSL for any reason please yell so that we can >>>> decide if we leave it as it is (plain + encrypted) or not. >>> >>> Is there any *real* reason to force SSL? It is *hell* slow. >> >> it should of course be force for logging in > > If it is enforced for login, it should be enforced for logged > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, > restricting the login cookie to an IP is *not* "safe enough". > > Regards, > Tobias >
First off, a big thanks to infra and all involved in the migration. It looks awesome! As to the SSL bit, there is *no* reason not to be using SSL for anything that requires a username / password. And I 100% agree with Tobias. If it's necessary to use SSL to login, it's necessary to use it for the duration of the session. I don't know how feasible it is to do, but if normal viewing (no login) can be left SSL free, I see no issue there. Otherwise however, SSL should be in use. Regards, - -- Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNdPDCAAoJEEsurZwMLhUxFtUP/istnBrfWjaj8SoHmweB5Uh8 Fblpar2tWVqqSORPV0fkXnYogXK8EbSl4eQDo6Q5LZt4OUzP2T4rLOrrexaxL2s/ GzKYHeoEsUKAfkZa5W3bmL8ZaL0ueYFqM/ucx1r9iGEqEOIr33G3eaR3AlaovmjV Qw/r0McPFJDxqZz+79Xl/sFTFJaDHebEKiYT9Y40m3+6Ha4EqWcZ5DLX41/kfE77 Du+hCdf5J3E29vED3qtY5FBrmzG4ILBPCXbYxW8IMbpizQAzj7XzH8ZxjA9OvPOJ S0kxrjQR9oFodiPETYf/vOpsHlp/D3+HECRo4Qa1OJBdkb70ci+5XHoY3GvdAKUe MN3jCf94CSxlCyJcngWoyiu9j93l2Z3ctjq3cHo1dH4ETo686jyKFm4xBBkm4UrF Co6c/pkX+78m2Py4hcWml+X2reYMurTC0dRG42YCW3dXRMJha6OZKIKXTf19FakL bEd0adIK99t+N3i63yKIsd9p5SrU0H2ysJtX2wNyUVMAYnAad7gn7SGCKCytmvAo 4R8to3O7DitfIXAAz78Zj5vwa9VIbPu8dCTV0zo2XHE5EOXfu87YMQYKQQU1KwXK 9Rx0ZLys+vQCJL1EhezXBRcG39ksVHI1/hytD3LMTeRRXeQLJUrE3LK64mxtEARH f7uLbv3dNgsjbhIM7jfQ =CxR9 -----END PGP SIGNATURE-----
