[
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122051#comment-15122051
]
Jacques Le Roux commented on OFBIZ-6849:
----------------------------------------
Another interesting point: for 2 or 3 years now I'm using
https://www.eff.org/https-everywhere in my preferred browsers (1= FF, 2=
Chrome, I use both depending on circumstances). Initially there were very few
cases where I had to downgrade sites to HTTP access. It's now a year or two I
did not have to do that. Which means there are now very few sites which does
not support HTTPS only.
> Use only HTTPS in OFBiz
> -----------------------
>
> Key: OFBIZ-6849
> URL: https://issues.apache.org/jira/browse/OFBIZ-6849
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-6849.patch
>
>
> I recently (~4 weeks ago) started the ["Performance over security, is that
> reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML.
> I think I did not explain me well then. I must say it's easy to drown down in
> details with this subject when you want to illustrate the reasons.
> So instead of only answering on the dev ML, I decided it will be good to
> create a Jira task with maybe related tasks, here it is.
> For now I consider it only an improvement, but since it's a security matter
> we can discuss backporting later.
> \\
> ----
> h2. TL;DR
> h3. Performance over security?
> So why was this thread opposing performance and security? First we need to
> understand that here performance stands for HTTP and security for HTTPS.
> h5. Why is HTTP standing for performance?
> Actually is now not much performance difference between the 2 protocols, but
> you can't cache HTTPS requests and it sometimes (inter-continental requests)
> matters.
> h3. And why the question about being reasonable or not?
> I think it's unreasonable to put performance over security. And nowadays you
> are not secure when you use HTTP mixed with HTTPS. Most of the time when you
> mix both is because you want to identity an user using a sessionId. So with
> HTTPS, after the user started with HTTP. As concisely explained Forrest in
> the above referenced thread
> {quote}
> If you're switching between HTTPS and HTTP based on some criteria, an
> attacker can leverage that to trick the user into all kind of things.
> {quote}
> It's also well and simply explained (with other things) in [this
> article|http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/]:
> {quote}
> The HTTP spec defines a “Secure” flag for cookies, which instructs the
> browser to only send that cookie value over SSL. If sites set that cookie
> like they’re supposed to, then yes, SSL is helping you out. Most sites don’t,
> however, and browsers will happily send the sensitive cookies over
> unencrypted HTTP. Our hypothetical skeezebag really just needs some way to
> trick you into opening a normal HTTP URL, maybe by e-mailing you a link to
> http://yourbank.com/a-picture-of-ponies-and-rainbows.gif so he can sniff the
> plain-text cookie off your unencrypted HTTP request, or by surreptitiously
> embedding a JavaScript file via some site’s XSS vulnerability.
> {quote}
> Of course if you site is only showing things but nobody has never to
> identify, then you are not at risk and HTTP only is perfect. But with
> ecommerce kind of site or such, it's rarely the case, most of the time users
> need to identify!
> ----
> \\
> So why are people still mixing HTTP and HTTPS on their site? In the 1st
> answer at
> [\[1\]|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#answer-4376]
> Thomas Pornin and others gave some interesting points and answers. At
> [\[2\]|http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/]
> Yves Lafon gave also a good summary even if a bit old now. I took some
> questions/answers from
> [\[3\]|https://stackoverflow.com/questions/2746047/why-not-use-https-for-everything]
> also. So you might check those links by yourself, here is an abstract:
> # *"Some browsers may not support SSL"* Only old Lynx versions, negligible
> # *"Connection initiation requires some extra network roundtrips"* Negligible
> but for sites which serve mostly static contents, see "static content takes a
> hit" below.
> # *"the SSL initial key exchange adds to the latency"* As [completely
> explained
> here|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#comment-6560]:
> "most TLS server use a RSA key and the client part of RSA is cheap (the
> server incurs most of the cost in RSA)"
> # *"static content takes a hit"* You should though store static content
> apart. OFBiz comes with ofbizContentUrl and content.properties for that. But
> you should still use HTTPS. The [complete
> answer|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#comment-6560]
> for the last question (just above this one) also applies here.
> # *"HTTPS servers must use one IP per server name"* or *"it doesn't work with
> virtual hosts"* This issue has long been solved by [Server Name
> Indication|https://en.wikipedia.org/wiki/Server_Name_Indication] which is
> supported by all major browsers nowadays.
> # *Certificates are expansive* For demos, etc. (ie not for real production
> sites where a certificate is mandatory anyway) but this no longer an issue
> with
> [letsencrypt|https://community.letsencrypt.org/t/frequently-asked-questions-faq]
> # *"Proxy servers cannot cache pages served with HTTPS"* This is the more
> important point. Nowadays this is only a performance problem with
> inter-continental requests. Note that you can use HTTP for static content
> inside OFBiz
> [\[1\]
> https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol]
> [\[2\]
> http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it|http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/]
> [\[3\]
> https://stackoverflow.com/questions/2746047/why-not-use-https-for-everything|https://stackoverflow.com/questions/2746047/why-not-use-https-for-everything]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
