also just a very off topic topic:
what if a trusted CA issued a *.* cert? for those of you who don't know,
that would be valid everywhere (even if the session was hjacked) but again,
very off topic, back to the topic at hand :D
*Riley Childs*
*Library Technology Manager at Charlotte United
HTTPS prevents passive monitoring at the application level, but there is
still nothing stopping the government from issuing a subpoena for the
webserver log files. They can still see what you're doing at the network
level, granted they can only see source and destination IPs and ports. With
enough
Hi!
On Wed, Nov 6, 2013 at 5:37 PM, Riley Childs ri...@tfsgeo.com wrote:
Why? HTTPS is used when there is sensitive data involved, code4lib.org (at
least to my knowledge) does not have sensitive data?
It is not just about the security of the users but privacy of the
users as well. Internet
On Nov 10, 2013, at 5:45 AM, Mitar mmi...@gmail.com wrote:
It is not just about the security of the users but privacy of the
users as well. Internet Archive moved to HTTPS so that nobody could
monitor what their users are accessing.
Yes, this is an extremely important point. It’s also why
Hi All,
If code4lb.org switched to HTTPS by default, can their content still be
archived by the Internet Archive?
thanks,
ranti.
On Thu, Nov 7, 2013 at 1:16 PM, Ordway, Ryan rord...@oregonstate.eduwrote:
The simplest solution would be to modify the settings.php to start pushing
everything
I haven't played much with requesting a page be archived, so it's only a
handful of links I had tried. From what Eric Hellman posted about hiccups,
it doesn't sound like https is a barrier if you set up the site and want to
allow archiving.
-Wilhelmina Randtke
On Sat, Nov 9, 2013 at 5:29 PM,
OK! Uncle! Just let's do something! I don't care *that* much about it!
-Ross.
On Nov 6, 2013 11:34 PM, Chad Fennell fenne...@umn.edu wrote:
On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer rossfsin...@gmail.com wrote:
I guess I just don't see why http and https can't coexist.
They can
The simplest solution would be to modify the settings.php to start pushing
everything over HTTPS once someone has hit an HTTPS URL. The current
code4lib server has been here at OSU longer than I have (and I've been here
for 8+ years), and it's at MOST running at about 25% CPU capacity. Pushing
It sounds like we are willing to throw security under the bus for an edge case,
although I am sure that I am missing some subtlety
Cary
On Nov 5, 2013, at 10:27 AM, Ross Singer rossfsin...@gmail.com wrote:
On Tue, Nov 5, 2013 at 12:07 PM, William Denton w...@pobox.com wrote:
(Question:
Why? HTTPS is used when there is sensitive data involved, code4lib.org (at
least to my knowledge) does not have sensitive data?
Riley Childs
Library Director and IT Admin
Junior
Charlotte United Christian Academy
P: 704-497-2086 (Anytime)
P: 704-537-0331 x101 (M-F 7:30am-3pm ET)
Sent from my
SSL certs are expensive because of the administrative work associated with it.
Riley Childs
Library Director and IT Admin
Junior
Charlotte United Christian Academy
P: 704-497-2086 (Anytime)
P: 704-537-0331 x101 (M-F 7:30am-3pm ET)
Sent from my iPhone
Please excuse mistakes
On Nov 6, 2013, at
How is security getting thrown under the bus?
-Ross.
On Wednesday, November 6, 2013, Cary Gordon wrote:
It sounds like we are willing to throw security under the bus for an edge
case, although I am sure that I am missing some subtlety
Cary
On Nov 5, 2013, at 10:27 AM, Ross Singer
I guess I just don't see why http and https can't coexist.
-Ross.
On Nov 6, 2013 9:39 PM, Cary Gordon listu...@chillco.com wrote:
This conversation is heading into the draining the swamp category.
Bill Denton started this thread with the suggestion that we use HTTPS
everywhere. He did not
On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer rossfsin...@gmail.com wrote:
I guess I just don't see why http and https can't coexist.
They can definitely coexist, but there is a corresponding maintenance cost
and a slightly higher risk profile (e.g. session hijacking is still
possible in a
On 4 November 2013, Ross Singer wrote:
While I'm not opposed to providing code4lib.org via HTTPS, I don't think
it's as simple as let's just do it!. Who will be responsible for making
sure the cert is up to date?
I will for a while! I'll make some entries in my calendar.
Who will pay for
On Tue, Nov 5, 2013 at 12:07 PM, William Denton w...@pobox.com wrote:
(Question: Why does HTTPS complicate screen-scraping? Every decent tool
and library supports HTTPS, doesn't it?)
Birkin asked me this same question, and I realized I should clarify what I
meant. I was mostly referring
For code4lib.org server-related stuffs, I'm your huckleberry.
Screen scraping an HTTPS site can be complicated for a number of reasons,
mostly depending on how smart the scraper is, the quality of the
certificate, etc.
I would be happy to make the webserver logs available to someone if they
I think it's time we made everything on code4lib.org use HTTPS by default
and redirect people to HTTPS from HTTP when needed. (Right now there's an
outdated self-signed SSL certificate on the site, so someone took a stab
at this earlier, but it's time to do it right.)
StartCom gives free SSL
NSA broke it already
On Mon, Nov 4, 2013 at 1:42 PM, William Denton w...@pobox.com wrote:
I think it's time we made everything on code4lib.org use HTTPS by default
and redirect people to HTTPS from HTTP when needed. (Right now there's an
outdated self-signed SSL certificate on the site, so
While I'm not opposed to providing code4lib.org via HTTPS, I don't think
it's as simple as let's just do it!. Who will be responsible for making
sure the cert is up to date? Who will pay for certs (if we don't go with
startcom)?
Also, forcing all traffic to HTTPS unnecessarily complicates some
On Mon, Nov 04, 2013 at 01:45:12PM -0500, Ethan Gruber wrote:
NSA broke it already
Very funny but untrue. While it is certainly possible to create an
insecure TLS certificate, for all we know it is not true that TLS has
been broken in general.
It is still one of the most usable protections
Let me second Ross's cautions here. The Internet Archive made the leap
to https about 10 days ago and there are still services that are broken
because of it. c4l should be simpler because there aren't services like
sending files to Kindle or complex APIs (at least, I don't think so),
but it's
22 matches
Mail list logo
