From: Mike Frysinger <vapier@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Tobias Klausmann <klausman@gentoo.org>
Subject: Re: [gentoo-dev] Bugzilla 4 migration
Date: Mon, 7 Mar 2011 10:00:47 -0500 [thread overview]
Message-ID: <AANLkTik3+WYL0fjqVFqKFtqex+FvFmmbgqyFfZLX4g44@mail.gmail.com> (raw)
In-Reply-To: <20110307144819.GA28374@kaini.schwarzvogel.de>
On Mon, Mar 7, 2011 at 9:48 AM, Tobias Klausmann wrote:
> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>> >> If *anybody* can't use SSL for any reason please yell so that we can
>> >> decide if we leave it as it is (plain + encrypted) or not.
>> >
>> > Is there any *real* reason to force SSL? It is *hell* slow.
>>
>> it should of course be force for logging in
>
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".
you're talking about two different things. imo it's more important to
protect the credentials than spoofing/replay attacks. the former is a
no brainer while the latter is fine to leave to the discretion of the
end user.
-mike
next prev parent reply other threads:[~2011-03-07 15:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-06 22:55 [gentoo-dev] Bugzilla 4 migration Christian Ruppert
[not found] ` <4D742033.5030609@gentoo.org>
2011-03-07 1:49 ` Christian Ruppert
2011-03-07 9:12 ` Michał Górny
2011-03-07 9:24 ` Dirkjan Ochtman
2011-03-07 9:30 ` Michał Górny
2011-03-07 9:25 ` Mike Frysinger
2011-03-07 14:48 ` Tobias Klausmann
2011-03-07 14:50 ` Dane Smith
2011-03-07 15:00 ` Mike Frysinger [this message]
2011-03-07 19:47 ` Michał Górny
2011-03-07 20:03 ` Christian Ruppert
2011-03-07 20:06 ` Olivier Crête
2011-03-07 21:32 ` Fabian Groffen
2011-03-07 21:52 ` Rich Freeman
2011-03-07 21:59 ` Fabian Groffen
2011-03-07 22:23 ` Mike Frysinger
2011-03-07 22:25 ` Mike Frysinger
2011-03-08 8:08 ` Fabian Groffen
2011-03-08 14:26 ` Michał Górny
2011-03-08 14:41 ` Antoni Grzymała
2011-03-08 14:53 ` Michał Górny
2011-03-08 15:06 ` Nathan Phillip Brink
2011-03-07 9:33 ` Robin H. Johnson
2011-03-07 9:51 ` Robin H. Johnson
2011-03-07 10:09 ` justin
2011-03-07 11:30 ` Jorge Manuel B. S. Vicetto
2011-03-07 14:13 ` Donnie Berkholz
2011-03-07 15:35 ` Dirkjan Ochtman
2011-03-07 15:47 ` Donnie Berkholz
2011-03-08 6:50 ` Hans de Graaff
2011-03-08 14:06 ` Donnie Berkholz
2011-03-07 12:20 ` Markos Chandras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTik3+WYL0fjqVFqKFtqex+FvFmmbgqyFfZLX4g44@mail.gmail.com \
--to=vapier@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=klausman@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox