On 06/13/2011 06:16 PM, Chris Seberino wrote: > On Jun 13, 4:43 pm, Michael Orlitzky <mich...@orlitzky.com> wrote: >> I don't know if there's a way to allow this, but why would you want to? >> When you log in -- presumably, over SSL, because you want to protect >> your password -- your browser is sent a session cookie that it uses to >> identify you in the future. >> >> If you switch to plain HTTP in the same session, your password won't be >> sent in plain text, but the session cookie will be, and that's almost as >> bad: an attacker can pretend he's you until you log out. >> >> You could do a delicate dance to try to ensure that only "unprivileged" >> data is sent across the plain-HTTP channel; but again, why? And is it >> worth the time it would take to implement it and the associated security >> risk? > > Michael > > Speed is one reason someone may want to only do the login with SSL.
The speed difference really is negligible these days. > I just checked and when I log into PayPal, it stays in SSL mode. > However, when I log into eBay, it jumps OUT of SSL mode. Godaddy > seems to do some pages with SSL and some without SSL. > > Whenever these sites drop down to unencrypted, aren't they also > insecure since eBay and Godaddy are sending cookies in the clear? Chances are, they screwed up somewhere and are insecure. While it's still possible to send *only* the cookie over HTTPS, it's unnecessarily error-prone. Someone released a tool a while ago called Firesheep that was originally targeted at Facebook, http://codebutler.com/firesheep and a number of other websites got caught with their pants down, including Google (gmail), Twitter, and Flickr. So it's not so unbelievable that eBay or GoDaddy would make the same mistake. If your account is important enough that you encrypt the password, you probably want to encrypt the whole session. -- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org
