On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote: > On Mon, 7 Mar 2011 15:48:19 +0100 > Tobias Klausmann <[email protected]> wrote: > > > On Mon, 07 Mar 2011, Mike Frysinger wrote: > > > >> If *anybody* can't use SSL for any reason please yell so that we > > > >> can decide if we leave it as it is (plain + encrypted) or not. > > > > > > > > Is there any *real* reason to force SSL? It is *hell* slow. > > > > > > it should of course be force for logging in > > > > If it is enforced for login, it should be enforced for logged > > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, > > restricting the login cookie to an IP is *not* "safe enough". > > Why does everyone assume it needs to be enforced? If user is interested > in protecting his/her data, he/she can simply use https://. If he/she > is not, there is no real reason to enforce slower (and not always > supported) SSL.
Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. -- Olivier Crête [email protected] Gentoo Developer
signature.asc
Description: This is a digitally signed message part
