On 03/07/2011 08:47 PM, Michał Górny wrote: > On Mon, 7 Mar 2011 15:48:19 +0100 > Tobias Klausmann <[email protected]> wrote: > >> On Mon, 07 Mar 2011, Mike Frysinger wrote: >>>>> If *anybody* can't use SSL for any reason please yell so that we >>>>> can decide if we leave it as it is (plain + encrypted) or not. >>>> >>>> Is there any *real* reason to force SSL? It is *hell* slow. >>> >>> it should of course be force for logging in >> >> If it is enforced for login, it should be enforced for logged >> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, >> restricting the login cookie to an IP is *not* "safe enough". > > Why does everyone assume it needs to be enforced? If user is interested > in protecting his/her data, he/she can simply use https://. If he/she > is not, there is no real reason to enforce slower (and not always > supported) SSL. > > It's like forcing everyone to have doors with semi-automatic locks. >
*I* think it's ok if we're going to protect *our* data. Some user may even benefit from it. I don't see any disadvantages for our users. -- Regards, Christian Ruppert Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure member Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8
signature.asc
Description: OpenPGP digital signature
