From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PwgQI-0002kn-Qh for garchives@archives.gentoo.org; Mon, 07 Mar 2011 19:48:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 071551C04E; Mon, 7 Mar 2011 19:48:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id ED92B1C033 for ; Mon, 7 Mar 2011 19:48:04 +0000 (UTC) Received: from pomiocik.lan (77-254-77-36.adsl.inetia.pl [77.254.77.36]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 2E8C31B407C; Mon, 7 Mar 2011 19:48:01 +0000 (UTC) Date: Mon, 7 Mar 2011 20:47:08 +0100 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: gentoo-dev@lists.gentoo.org Cc: klausman@gentoo.org Subject: Re: [gentoo-dev] Bugzilla 4 migration Message-ID: <20110307204708.5da83080@pomiocik.lan> In-Reply-To: <20110307144819.GA28374@kaini.schwarzvogel.de> References: <4D7410E3.3070708@gentoo.org> <20110307101214.37beac3a@pomiocik.lan> <20110307144819.GA28374@kaini.schwarzvogel.de> Organization: Gentoo X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.1; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/EA6UVv7jv6meGaoVFFyP1HM"; protocol="application/pgp-signature" X-Archives-Salt: X-Archives-Hash: 802a50ca4854ebde0eb4b5492472cc66 --Sig_/EA6UVv7jv6meGaoVFFyP1HM Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 7 Mar 2011 15:48:19 +0100 Tobias Klausmann wrote: > On Mon, 07 Mar 2011, Mike Frysinger wrote: > > >> If *anybody* can't use SSL for any reason please yell so that we > > >> can decide if we leave it as it is (plain + encrypted) or not. > > > > > > Is there any *real* reason to force SSL? It is *hell* slow. > >=20 > > it should of course be force for logging in >=20 > If it is enforced for login, it should be enforced for logged > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, > restricting the login cookie to an IP is *not* "safe enough". Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. It's like forcing everyone to have doors with semi-automatic locks. --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/EA6UVv7jv6meGaoVFFyP1HM Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk11NkAACgkQnGSe5QXeB7uJ9ACfYuG/2hRAjvVFTKTm4Kjdo9Ga MxQAoJ621izAXXh7nUPrE2VpFKVZumnj =zSdh -----END PGP SIGNATURE----- --Sig_/EA6UVv7jv6meGaoVFFyP1HM--