Re: [Dspace-tech] SSL and HTTPS Question
On Fri, Jul 29, 2011 at 04:32:50PM -0400, Joseph wrote: So, I've turned on the configuration flag that forces the user to use HTTPS when they log in to DSpace; Should the rest of their session take place over an https connection or is it safe for them to go back to regular http after they have logged in? In general we can't really answer that and you probably can't either. It depends on the nature of the stuff in your repository and your users' needs for privacy. And if your repo. is public, you don't know who your users are until they've arrived. Here all access is encrypted. I admit to being an extremist in this area: I think all network packets should be encrypted in at least one layer unless someone can show a compelling reason for some particular packets to go in clear. And I figure that, if I'm worried about the cost of encryption maxing out our processors, I didn't recommend a fast enough machine. Once the handshake is done, session encryption is cheap. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpkBQOohngam.pgp Description: PGP signature -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] SSL and HTTPS Question
On Mon, 1 Aug 2011, Mark H. Wood wrote: Should the rest of their session take place over an https connection or is it safe for them to go back to regular http after they have logged in? In general we can't really answer that and you probably can't either. It depends on the nature of the stuff in your repository and your users' needs for privacy. And if your repo. is public, you don't know who your users are until they've arrived. If you go back to HTTP after signing in, then anyone can eavesdrop and steal your session. If you do not want this, then you should make sure to run everything over HTTPS as soon as someone's logged in. Then the rest of their session should be encrypted. Assuming that the rest of the repository is public, you probably don't want the overhead and lack of caching of running that over HTTPS, so it's better to run it over plain HTTP until people log in. Best, -- Tom De Mulder td...@cam.ac.uk - Cambridge University Computing Service +44 1223 3 31843 - New Museums Site, Pembroke Street, Cambridge CB2 3QH - 01/08/2011 : The Moon is Waxing Crescent (9% of Full) -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] SSL and HTTPS Question
Hi Jospeh, So, I've turned on the configuration flag that forces the user to use HTTPS when they log in to DSpace; Should the rest of their session take place over an https connection or is it safe for them to go back to regular http after they have logged in? For most sites, it is considered safe to go back to http. You might want to consider securing a few other pages, such as the password change page. Thanks, Stuart Lewis Digital Development Manager Te Tumu Herenga The University of Auckland Library Auckland Mail Centre, Private Bag 92019, Auckland 1142, New Zealand Ph: +64 (0)9 373 7599 x81928 -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
