On Sep 16, 2007, at 1:10 PM, Martin Albrecht wrote: >> For future reference, about 3-4 days ago I changed things so that the >> public notebook server: >> (1) Doesn't use ssl at all, and >> (2) Is at http://sagenb.org (and another at http:// >> sagenb.com), so >> there is no funny business with ports. >> Thus the above setup shouldn't get blocked anywhere anymore. >> Obviously (1) means people could sniff password on the public >> notebook >> easily, but this really isn't too worrisome given that the thing >> is free, >> etc., so what should people expect? > > Did SSL slow down the machines that were running the public > notebook? Did you > run into scalability problems? If there is one lesson to be learned > from > it-sec than it is: people are amazingly stupid when it comes to it- > sec. If > you want to demonstrate that with SAGE you can easily work over the > network > using just a webbrowser (i.e. fullfill the promises of the webapps > buzz) it > is -- at least to me -- a requirement to not gamble with a user's > credentials. Using a non-encrypted login page is -- again, at least > to me -- > a gamble with the user's credential. To sum up: I strongly vote for > re-enabling SSL encryption. > > Martin
I would vote for having a checkbox on the login page of whether or not to use SSL, checked by default. Even though I wouldn't use a sensitive password, I think if we want people to post valuable content (e.g. in the whole publish worksheet context) we should make an reasonable effort to protect it (I'm not worried about sniffers, but here I think it's an appearance/trust thing as much as anything). On the other hand, we don't want to be blocking people who just want to try stuff out. I don't know about the pragmatics of serving via both http and https.... - Robert --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
