On Jun 13, 3:16 pm, Chris Seberino <cseber...@gmail.com> wrote: > Speed is one reason someone may want to only do the login with SSL. > > I just checked and when I log into PayPal, it stays in SSL mode. > However, when I log into eBay, it jumps OUT of SSL mode. Godaddy > seems to do some pages with SSL and some without SSL. > > Whenever these sites drop down to unencrypted, aren't they also > insecure since eBay and Godaddy are sending cookies in the clear?
It depends a bit. If one takes care to encode the communicating IP address in the cryptographic certificate ne might be OK. However, it would be very hard to protect against a man-in-the-middle attack (i.e., someone in control of a router in between the client and the server could probably inject and spoof transactions). Given that sage doesn't try to mix SSL and non-SSL communications, its cookies are probably not secure against something along those lines. eBay and Godaddy hopefully demand SSL encoded form transmission for anything critical. More importantly, before worrying about such optimizations you should probably first profile and verify that this is a bottleneck. Given the nature of sage, it is likely that given the weight of the notebook client-side and the computations server-side, the SSL encryption never is the limiting factor (sage notebooks are typically not a very high bandwidth application). It is certainly much easier to create something reasonably secure going the all-SSL route, so unless you find you cannot afford it, it's best to stick to all SSL. -- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org
