We've noticed a difference in performance on our servers using http vs https
so figured if we could use some code to handle this issue vs upgrading our
servers. I don't really agree that if you secure the site with a login that
everything should be secure. Digg, for example, doesn't need to encrypt its
news feed after you login because the information is not sensitive. Many
sites I've seen have non-secure content after logging in. Was hoping there
was an easy way to do it in Stripes but I guess not.
On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy
<tst...@barclaycardus.com>wrote:
> Couldn't this "use case" also be addressed with OAuth? Where the Auth is
> performed over OAuth, but the site remains over HTTP (non-secure).
>
> I do agree 100% with Janne though, HTTPS is cheap. If the
> username/password, and the services provided by the webapp should be
> secure, make it secure 100% of the time, e.g., redirect to HTTPS
> immediately on hitting the site.
>
> Regards,
> Tim
>
> -----Original Message-----
> From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com]
> Sent: Monday, January 31, 2011 9:48 AM
> To: Stripes Users List
> Subject: Re: [Stripes-users] HTTPS to HTTP switching
>
> > 1) Logging in. The login action should be https so username and
> > password are encrypted, but once i pass the login, the first page the
> > user sees does not need to be secure, hence switching from https to
> > http
>
> And that's exactly when your site stops being secure, and the user
> session can be hijacked, and your site is compromised. Facebook does
> login over https, yet the sessions can be hijacked. That's why they're
> rolling out the change...
>
> Please *do* seriously consider using https all the way after the user
> has logged in. You have very few real reasons why you shouldn't - https
> is very cheap these days with SSL-terminating loadbalancers and
> plenty-of-CPU power for decryption anyway. You're otherwise creating a
> fairly easy-to-exploit security hole in your system... (unless, of
> course, you can ensure that nobody ever uses your system over WiFi.)
>
> /Janne
>
>
> ------------------------------------------------------------------------
> ------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires February
> 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>
>
> Barclays www.barclaycardus.com
>
> This e-mail and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of this
> information is prohibited. If you have received this in error, please
> contact the sender by replying to this message and delete this material from
> any system it may be on.
>
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
