[ https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15114796#comment-15114796 ]
Deepak Dixit commented on OFBIZ-6849: ------------------------------------- +1 Jacques, https://googlewebmastercentral.blogspot.in/2015/12/indexing-https-pages-by-default.html > Use only HTTPS in OFBiz > ----------------------- > > Key: OFBIZ-6849 > URL: https://issues.apache.org/jira/browse/OFBIZ-6849 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: Upcoming Branch > > Attachments: OFBIZ-6849.patch > > > I recently (2 weeks ago) started the ["Performance over security, is that > reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. > I think I did not explain me well then. I must say it's easy to drown down in > details with this subject when you want to illustrate the reasons. > So instead of answering on the dev ML, I decided it will be easier to create > a Jira task with maybe related tasks, here it is. > For now I consider it only an improvement, but since it's a security matter > we can discuss backporting later (hard in this case). > h3. Performance over security? > So why was this thread opposing performance and security? First we need to > understand that here performance stands for HTTP and security for HTTPS. > h3. And why the question about being reasonable or not? > I think it's unreasonable to put performance over security. And nowadays you > are not secure when you use HTTP mixed with HTTPS. Most of the time when you > mix both is because you want to identity an user using a sessionId. As > concisely explained Forrest in the above referenced thread > {quote} > If you're switching between HTTPS and HTTP based on some criteria, an > attacker can leverage that to trick the user into all kind of things. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)