[
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-6849:
-----------------------------------
Description:
I recently (2 weeks ago) started the ["Performance over security, is that
reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. I
think I did not explain me well then. I must say it's easy to drown down in
details with this subject when you want to illustrate the reasons.
So instead of answering on the dev ML, I decided it will be easier to create a
Jira task with maybe related tasks, here it is.
For now I consider it only an improvement, but since it's a security matter we
can discuss backporting later (hard in this case).
h3. Performance over security?
So why was this thread opposing performance and security? First we need to
understand that here performance stands for HTTP and security for HTTPS.
h3. And why the question about being reasonable or not?
I think it's unreasonable to put performance over security. And nowadays you
are not secure when you use HTTP mixed with HTTPS. Most of the time when you
mix both is because you want to identity an user using a sessionId. As
concisely explained Forrest in the above referenced thread
{quote}
If you're switching between HTTPS and HTTP based on some criteria, an attacker
can leverage that to trick the user into all kind of things.
{quote}
was:
I recently (2 weeks ago) started the ["Performance over security, is that
reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. I
think I did not explain me well then. I must say it's easy to drown down in
details with this subject when you want to illustrate the reasons.
So instead of answering on the dev ML, I decided it will be easier to create a
Jira task with maybe related tasks, here it is.
For now I consider it only an improvement, but since it's a security matter we
can discuss backporting later (hard in this case).
h3. Performance over security?
So why was this thread opposing performance and security? First we need to
understand that here performance stands for HTTP and security for HTTPS.
And why the question about being reasonable or not?
> Use only HTTPS in OFBiz
> -----------------------
>
> Key: OFBIZ-6849
> URL: https://issues.apache.org/jira/browse/OFBIZ-6849
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
>
> I recently (2 weeks ago) started the ["Performance over security, is that
> reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML.
> I think I did not explain me well then. I must say it's easy to drown down in
> details with this subject when you want to illustrate the reasons.
> So instead of answering on the dev ML, I decided it will be easier to create
> a Jira task with maybe related tasks, here it is.
> For now I consider it only an improvement, but since it's a security matter
> we can discuss backporting later (hard in this case).
> h3. Performance over security?
> So why was this thread opposing performance and security? First we need to
> understand that here performance stands for HTTP and security for HTTPS.
> h3. And why the question about being reasonable or not?
> I think it's unreasonable to put performance over security. And nowadays you
> are not secure when you use HTTP mixed with HTTPS. Most of the time when you
> mix both is because you want to identity an user using a sessionId. As
> concisely explained Forrest in the above referenced thread
> {quote}
> If you're switching between HTTPS and HTTP based on some criteria, an
> attacker can leverage that to trick the user into all kind of things.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
