On 10/8/2010 1:20 PM, Lucian Adrian Grijincu wrote: > Yes, but what protection does this bring if: > > * the speaker enters "wiki.ubuntu.com" in the browser (default to HTTP) > > * the attacker does NOT redirect to a SSL site and just presents a > (malicious) HTTP page > > * the speaker has no clue that wiki.ubuntu.com should normally be on HTTPS
My thoughts exactly. This is an extraordinarily contrived reason to always use ssl. Not to mention that ANY site that says to add a repository hosted on some random server you have never heard of should probably cause you to think twice. If it would be that obvious to people watching changes to the wiki, it should be just as obvious to someone reading it. Now that I think about it though, why is the page not cached? Is it because the server is setting the no cache flag, or because the browser refuses to cache documents fetched with ssl? If the former, then changing that would help the matter quite a bit while still using ssl. The load on the server could also be reduced by using null encryption when sending to the client, or does it have to use the same encryption both directions? I suppose you do want any password the client sends to be encrypted. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
