On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote: > On Tue, 08 Mar 2011 16:41:08 +0200 > Antoni Grzyma??a <awa...@chopin.edu.pl> wrote: > > > On Tue, 8 Mar 2011 15:26:34 +0100, Micha????? G????rny wrote: > > > On Mon, 07 Mar 2011 15:06:25 -0500 > > > Olivier Cr??te <tes...@gentoo.org> wrote: > > > > > >> On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote: > > >> > Why does everyone assume it needs to be enforced? If user is > > >> > interested in protecting his/her data, he/she can simply use > > >> > https://. If he/she is not, there is no real reason to enforce > > >> > slower (and not always supported) SSL. > > >> > > >> Maybe it's not to protect the user, but to protect the Gentoo > > >> infrastructure.. And really, SSL has been supported by every > > >> browser for the last 15 years. And it is not in any way slow or > > >> slower than non-SSL. > > > > > > If you really think you need to force all users to use SSL, thus > > > assuming they're unable to make their own decisions, why don't you > > > restrict bugzie access completely? > > > > You don't seem to (or pretend not to) understand that using SSL > > protects not *the user* (in which case, yes, a user is free to leave > > the door to *his own* house wide open), but the Gentoo infrastructure > > that is far from his own and that all of us are using. > > Please explain to me how not using SSL for a particular bugzie user is > going to hurt Gentoo infra. Even if we're talking about a dev, > and we're really assuming a dev is completely unaware of security > issues he/she's dealing with, I'd say power outage could cause more > damage.
If you access a bug which a user marked private/for devs only, or some security bug, then the process of you viewing this information without SSL would disclose this information to anyone listening on your network. And disclosing your session cookie would allow anyone to find any such private data they _want_ to find rather than just the content you're viewing. Thus, by encrypting everything you are protecting Gentoo users' data which is posted as private on bugzilla because they trust that ``private'' actually means private. > > Besides, complaining about SSL being slow is absurd considering how > > mildly interactive and how low-traffic a typical bugzilla session is. > > You could do just fine over a 9600 bps modem. > > It is more absurd to waste 5 minutes trying to establish login session > due to packet loss. And if you have such a bad internet connection as you claim to have, then perhaps there's a higher chance of people trolling your packets anyways :-p. -- binki Look out for missing apostrophes!
pgpgNGileIJ7j.pgp
Description: PGP signature
