I thought the problem is that no one has configured Apache on sage.math to use SSL for use with sagenb.org and sagenb.com.
On 9/17/07, Robert Bradshaw <[EMAIL PROTECTED]> wrote: > > On Sep 16, 2007, at 1:10 PM, Martin Albrecht wrote: > > >> For future reference, about 3-4 days ago I changed things so that the > >> public notebook server: > >> (1) Doesn't use ssl at all, and > >> (2) Is at http://sagenb.org (and another at http:// > >> sagenb.com), so > >> there is no funny business with ports. > >> Thus the above setup shouldn't get blocked anywhere anymore. > >> Obviously (1) means people could sniff password on the public > >> notebook > >> easily, but this really isn't too worrisome given that the thing > >> is free, > >> etc., so what should people expect? > > > > Did SSL slow down the machines that were running the public > > notebook? Did you > > run into scalability problems? If there is one lesson to be learned > > from > > it-sec than it is: people are amazingly stupid when it comes to it- > > sec. If > > you want to demonstrate that with SAGE you can easily work over the > > network > > using just a webbrowser (i.e. fullfill the promises of the webapps > > buzz) it > > is -- at least to me -- a requirement to not gamble with a user's > > credentials. Using a non-encrypted login page is -- again, at least > > to me -- > > a gamble with the user's credential. To sum up: I strongly vote for > > re-enabling SSL encryption. > > > > Martin > > I would vote for having a checkbox on the login page of whether or > not to use SSL, checked by default. Even though I wouldn't use a > sensitive password, I think if we want people to post valuable > content (e.g. in the whole publish worksheet context) we should make > an reasonable effort to protect it (I'm not worried about sniffers, > but here I think it's an appearance/trust thing as much as anything). > On the other hand, we don't want to be blocking people who just want > to try stuff out. > > I don't know about the pragmatics of serving via both http and https.... > > - Robert > > > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
