[
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-6849:
-----------------------------------
Description:
I recently (2 weeks ago) started the ["Performance over security, is that
reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. I
think I did not explain me well then. I must say it's easy to drown down in
details with this subject when you want to illustrate the reasons.
So instead of answering on the dev ML, I decided it will be easier to create a
Jira task with maybe related tasks, here it is.
For now I consider it only an improvement, but since it's a security matter we
can discuss backporting later (hard in this case).
h3. Performance over security?
So why was this thread opposing performance and security? First we need to
understand that here performance stands for HTTP and security for HTTPS.
h3. And why the question about being reasonable or not?
I think it's unreasonable to put performance over security. And nowadays you
are not secure when you use HTTP mixed with HTTPS. Most of the time when you
mix both is because you want to identity an user using a sessionId, so with
HTTPS, after the user started with HTTP. As concisely explained Forrest in the
above referenced thread
{quote}
If you're switching between HTTPS and HTTP based on some criteria, an attacker
can leverage that to trick the user into all kind of things.
{quote}
Of course if you site is only showing things but nobody has never to identify,
then you are not at risk and HTTP only is perfect. But with ecommerce kind of
site or such, it's rarely the case, most of the time users need to identify.
was:
I recently (2 weeks ago) started the ["Performance over security, is that
reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. I
think I did not explain me well then. I must say it's easy to drown down in
details with this subject when you want to illustrate the reasons.
So instead of answering on the dev ML, I decided it will be easier to create a
Jira task with maybe related tasks, here it is.
For now I consider it only an improvement, but since it's a security matter we
can discuss backporting later (hard in this case).
h3. Performance over security?
So why was this thread opposing performance and security? First we need to
understand that here performance stands for HTTP and security for HTTPS.
h3. And why the question about being reasonable or not?
I think it's unreasonable to put performance over security. And nowadays you
are not secure when you use HTTP mixed with HTTPS. Most of the time when you
mix both is because you want to identity an user using a sessionId. As
concisely explained Forrest in the above referenced thread
{quote}
If you're switching between HTTPS and HTTP based on some criteria, an attacker
can leverage that to trick the user into all kind of things.
{quote}
> Use only HTTPS in OFBiz
> -----------------------
>
> Key: OFBIZ-6849
> URL: https://issues.apache.org/jira/browse/OFBIZ-6849
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-6849.patch
>
>
> I recently (2 weeks ago) started the ["Performance over security, is that
> reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML.
> I think I did not explain me well then. I must say it's easy to drown down in
> details with this subject when you want to illustrate the reasons.
> So instead of answering on the dev ML, I decided it will be easier to create
> a Jira task with maybe related tasks, here it is.
> For now I consider it only an improvement, but since it's a security matter
> we can discuss backporting later (hard in this case).
> h3. Performance over security?
> So why was this thread opposing performance and security? First we need to
> understand that here performance stands for HTTP and security for HTTPS.
> h3. And why the question about being reasonable or not?
> I think it's unreasonable to put performance over security. And nowadays you
> are not secure when you use HTTP mixed with HTTPS. Most of the time when you
> mix both is because you want to identity an user using a sessionId, so with
> HTTPS, after the user started with HTTP. As concisely explained Forrest in
> the above referenced thread
> {quote}
> If you're switching between HTTPS and HTTP based on some criteria, an
> attacker can leverage that to trick the user into all kind of things.
> {quote}
> Of course if you site is only showing things but nobody has never to
> identify, then you are not at risk and HTTP only is perfect. But with
> ecommerce kind of site or such, it's rarely the case, most of the time users
> need to identify.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
