[Sugar-devel] [PATCH] webactivity: seed the XS cookie at startup

Simon Schampijer simon at schampijer.de
Thu Feb 12 06:19:17 EST 2009


Martin Langhoff wrote:
> On Thu, Feb 12, 2009 at 11:54 PM, Simon Schampijer <simon at schampijer.de> wrote:
>> Plan A - HTTPS to the rescue
>> Just to understand better.
>>
>> Is the main issue that we have to change the protocol - or are you more
>> worried about the CPU cost?
> 
> Both. And also HTTPS network load, as HTTPS is a lot less cache-friendly.
> 
>> So as I understand the process: At registration time with the XS the cert is
>> created and transferred to the client. Probably stored than in the profile.
>> Browse does than integrate it when it starts. The cert integration itself in
>> Browse should not be hard.
> 
> You are right, it shouldn't be hard if you "seed" it in the same way
> my patch is seeding the cookies.
> 
> Carol pointed out another alternative a couple of emails ago. Seems to
> sidestep the registration rework, but may be complex to implement.
> 
> But I'm more than happy with my simple Plan C :-) - which is about as
> safe as gmail over http as most people use everyday!

As save as having your email indexed by the provider... :)

When thinking about it a bit more - the big plus with your approach that 
it's only affects Browse - code wise, which is when back porting to 0.82 
a big plus, actually maybe the only way.

Cheers,
    Simon



More information about the Devel mailing list