Galen Charlton schreef op do 30-05-2013 om 11:18 [-0700]: > I'd personally be happy with requiring SSL for the staff interface and > the OPAC throughout on the basis that patron information is sensitive > enough to demand that level of care.
All our deployments now are using SSL, we strongly recommend it for exactly this reason. Also that if it's tied in to an LDAP infrastructure, passwords should never exist in plaintext (also people reuse passwords.) > However, because of the general support issues that would arise around > SSL certs, I suspect that Koha jumping on the HTTPS Everywhere > bandwagon will likely have to remain a recommended practice rather > than a requirement or installation default. Yeah, it requires a substantial amount of setup and knowledge. Also it interacts badly with cover images, which are fetched over HTTP, and so you get mixed content warnings. Where possible, they should use HTTPS if the system is, but it's not always possible. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
