[ https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115083#comment-15115083 ]
Jacques Le Roux commented on OFBIZ-6849: ---------------------------------------- Thanks Deepak, I will have a look. I must say it's still a WIP on my side. I have also some changes that I'm testing. I want 1st to better explain why and how I want to do it. For instance the issue description is still not complete... > Use only HTTPS in OFBiz > ----------------------- > > Key: OFBIZ-6849 > URL: https://issues.apache.org/jira/browse/OFBIZ-6849 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: Upcoming Branch > > Attachments: OFBIZ-6849.patch > > > I recently (2 weeks ago) started the ["Performance over security, is that > reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. > I think I did not explain me well then. I must say it's easy to drown down in > details with this subject when you want to illustrate the reasons. > So instead of answering on the dev ML, I decided it will be easier to create > a Jira task with maybe related tasks, here it is. > For now I consider it only an improvement, but since it's a security matter > we can discuss backporting later (hard in this case). > h3. Performance over security? > So why was this thread opposing performance and security? First we need to > understand that here performance stands for HTTP and security for HTTPS. > h3. And why the question about being reasonable or not? > I think it's unreasonable to put performance over security. And nowadays you > are not secure when you use HTTP mixed with HTTPS. Most of the time when you > mix both is because you want to identity an user using a sessionId, so with > HTTPS, after the user started with HTTP. As concisely explained Forrest in > the above referenced thread > {quote} > If you're switching between HTTPS and HTTP based on some criteria, an > attacker can leverage that to trick the user into all kind of things. > {quote} > Of course if you site is only showing things but nobody has never to > identify, then you are not at risk and HTTP only is perfect. But with > ecommerce kind of site or such, it's rarely the case, most of the time users > need to identify. -- This message was sent by Atlassian JIRA (v6.3.4#6332)