On 9/17/07, Timothy Clemans <[EMAIL PROTECTED]> wrote:> > I thought the problem is that no one has configured Apache on > sage.math to use SSL for use with sagenb.org and sagenb.com. >
Timothy is right. The main reason that I turned off ssl is that I have not been able to configure apache to correctly do proxy forwarding and SSL. Actually, I did figure out how to get it to do exactly *one* forwarding, e.g., if the only page were sagenb.org (and not sagenb.com), then it would be fine (both are served on the same page). William > On 9/17/07, Robert Bradshaw <[EMAIL PROTECTED]> wrote: > > > > On Sep 16, 2007, at 1:10 PM, Martin Albrecht wrote: > > > > >> For future reference, about 3-4 days ago I changed things so that the > > >> public notebook server: > > >> (1) Doesn't use ssl at all, and > > >> (2) Is at http://sagenb.org (and another at http:// > > >> sagenb.com), so > > >> there is no funny business with ports. > > >> Thus the above setup shouldn't get blocked anywhere anymore. > > >> Obviously (1) means people could sniff password on the public > > >> notebook > > >> easily, but this really isn't too worrisome given that the thing > > >> is free, > > >> etc., so what should people expect? > > > > > > Did SSL slow down the machines that were running the public > > > notebook? Did you > > > run into scalability problems? If there is one lesson to be learned > > > from > > > it-sec than it is: people are amazingly stupid when it comes to it- > > > sec. If > > > you want to demonstrate that with SAGE you can easily work over the > > > network > > > using just a webbrowser (i.e. fullfill the promises of the webapps > > > buzz) it > > > is -- at least to me -- a requirement to not gamble with a user's > > > credentials. Using a non-encrypted login page is -- again, at least > > > to me -- > > > a gamble with the user's credential. To sum up: I strongly vote for > > > re-enabling SSL encryption. > > > > > > Martin > > > > I would vote for having a checkbox on the login page of whether or > > not to use SSL, checked by default. Even though I wouldn't use a > > sensitive password, I think if we want people to post valuable > > content (e.g. in the whole publish worksheet context) we should make > > an reasonable effort to protect it (I'm not worried about sniffers, > > but here I think it's an appearance/trust thing as much as anything). > > On the other hand, we don't want to be blocking people who just want > > to try stuff out. > > > > I don't know about the pragmatics of serving via both http and https.... > > > > - Robert > > > > > > > > > > > > > > > -- William Stein Associate Professor of Mathematics University of Washington http://wstein.org --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
