On Mon, 7 Mar 2011 15:48:19 +0100 Tobias Klausmann <klaus...@gentoo.org> wrote:
> On Mon, 07 Mar 2011, Mike Frysinger wrote: > > >> If *anybody* can't use SSL for any reason please yell so that we > > >> can decide if we leave it as it is (plain + encrypted) or not. > > > > > > Is there any *real* reason to force SSL? It is *hell* slow. > > > > it should of course be force for logging in > > If it is enforced for login, it should be enforced for logged > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, > restricting the login cookie to an IP is *not* "safe enough". Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. It's like forcing everyone to have doors with semi-automatic locks. -- Best regards, Michał Górny
signature.asc
Description: PGP signature
