On 16/01/13 08:59, Joerg Jaspert wrote: > >>> If the https connections are considered too onerous for some reason, i'd >>> be happy to try to help troubleshoot and improve the situation, if >>> that's desired. >>> >> https hasn't been too onerous for Nokia: >> http://gizmodo.com/5975095/nokias-xpress-browser-decrypts-your-https-data >> Two factor authentication may be the next step >> > I don't believe they really decrypt it. I think, as its their browser > routing it via Nokia, that that one helps them by giving out whatever > information they need for it. Not sure though. > > My understanding is that they put their own root certificate in the browser and then use a dynamic type of SSL server that generates SSL certificates on the fly, to match any domain requested. But then again, a browser vendor could just hide the warning popups too, or pretend it was SSL by putting a padlock logo even when it isn't.
> But that doesn't matter: This is wiki.debconf.org. Which has been, for a > LONG time, without any protection for the logins. So https is a (good) > step forward. Now directly going one more, making it much harder for all > involved to contribute does seem to be lots of overkill. > > I wasn't suggesting such a scheme would be mandatory. Some sites offer optional OpenID logins, and then the OpenID can use two-factor authentication. _______________________________________________ Debconf-team mailing list Debconf-team@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-team
