[jira] [Commented] (OFBIZ-6849) Use only HTTPS in OFBiz

Mon, 25 Jan 2016 03:46:48 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115083#comment-15115083
 ] 

Jacques Le Roux commented on OFBIZ-6849:
----------------------------------------

Thanks Deepak, I will have a look.

I must say it's still a WIP on my side. I have also some changes that I'm 
testing. I want 1st to better explain why and how I want to do it. For instance 
the issue description is still not complete...

> Use only HTTPS in OFBiz
> -----------------------
>
>                 Key: OFBIZ-6849
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6849
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-6849.patch
>
>
> I recently (2 weeks ago) started the ["Performance over security, is that 
> reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. 
> I think I did not explain me well then. I must say it's easy to drown down in 
> details with this subject when you want to illustrate the reasons.
> So instead of answering on the dev ML, I decided it will be easier to create 
> a Jira task with maybe related tasks, here it is.
> For now I consider it only an improvement, but since it's a security matter 
> we can discuss backporting later (hard in this case).
> h3. Performance over security?
> So why was this thread opposing performance and security? First we need to 
> understand that here performance stands for HTTP and security for HTTPS. 
> h3. And why the question about being reasonable or not?
> I think it's unreasonable to put performance over security. And nowadays you 
> are not secure when you use HTTP mixed with HTTPS. Most of the time when you 
> mix both is because you want to identity an user using a sessionId, so with 
> HTTPS, after the user started with HTTP. As concisely explained Forrest in 
> the above referenced thread 
> {quote}
> If you're switching between HTTPS and HTTP based on some criteria, an 
> attacker can leverage that to trick the user into all kind of things.
> {quote}
> Of course if you site is only showing things but nobody has never to 
> identify, then you are not at risk and HTTP only is perfect. But with 
> ecommerce kind of site or such, it's rarely the case, most of the time users 
> need to identify.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to