Re: Wiki & SSL

2010-10-08 Thread Clint Byrum
On Oct 8, 2010, at 4:31 PM, Lucian Adrian Grijincu wrote: > On Fri, Oct 8, 2010 at 10:09 PM, Clint Byrum wrote: >> Right, though if that site is *delivered via ssl* and the cert is from >> a trusted organization, you can trust the source of that information.. >> if you click "history" you know y

Re: Wiki & SSL

2010-10-08 Thread Lucian Adrian Grijincu
On Fri, Oct 8, 2010 at 10:09 PM, Clint Byrum wrote: > Right, though if that site is *delivered via ssl* and the cert is from > a trusted organization, you can trust the source of that information.. > if you click "history" you know you're getting the real history. > > So if the attacker did not re

Re: Wiki & SSL

2010-10-08 Thread Clint Byrum
On Oct 8, 2010, at 11:39 AM, Phillip Susi wrote: > On 10/8/2010 1:20 PM, Lucian Adrian Grijincu wrote: >> Yes, but what protection does this bring if: >> >> * the speaker enters "wiki.ubuntu.com" in the browser (default to HTTP) >> >> * the attacker does NOT redirect to a SSL site and just pres

Re: Wiki & SSL

2010-10-08 Thread Phillip Susi
On 10/8/2010 1:20 PM, Lucian Adrian Grijincu wrote: > Yes, but what protection does this bring if: > > * the speaker enters "wiki.ubuntu.com" in the browser (default to HTTP) > > * the attacker does NOT redirect to a SSL site and just presents a > (malicious) HTTP page > > * the speaker has no c

Re: Wiki & SSL

2010-10-08 Thread Lucian Adrian Grijincu
On Fri, Oct 8, 2010 at 8:02 PM, Clint Byrum wrote: > With SSL, this will at least show some very serious warnings about > the SSL certificate. Even if he just redirects from the http port > on wiki.ubuntu.com to https on his evil server, he will have to > change the name, and the attack has yet an

Re: Wiki & SSL

2010-10-08 Thread Clint Byrum
On Oct 8, 2010, at 8:38 AM, Phillip Susi wrote: > wiki.ubuntu.com forces you to use an SSL connection via automatic > redirect to https. Why does it do this, and can we stop that please? > There is no reason for using SSL to access a public web site when you > are not logged in. It only serves

Wiki & SSL

2010-10-08 Thread Phillip Susi
wiki.ubuntu.com forces you to use an SSL connection via automatic redirect to https. Why does it do this, and can we stop that please? There is no reason for using SSL to access a public web site when you are not logged in. It only serves to slow things down, prevent caching, and put a lot more l