[Sugar-devel] [PATCH] webactivity: seed the XS cookie at startup

Carol Farlow Lerche cafl at msbit.com
Thu Feb 12 13:07:05 EST 2009


Martin, I want to understand what https traffic you are concerned will
affect performance and caching.  As far as I understand the need for https,
it would only be used infrequently, when reauthenticating to the server.
I.e..:

1. XO connects to Moodle without valid cookie and is redirected to https
login.

2. https client cert is exchanged, and cookie of limited duration is
planted).

3. XO connects to Moodle, cookie is valid, no redirection needed.

There might be particular use cases where the data in transit needed to be
protected against snooping, but a use case analysis needs to be done to
identify these.  I can't imagine that it would be needed in day-to-day
classroom use by students.

On Thu, Feb 12, 2009 at 6:55 AM, <david at lang.hm> wrote:

> On Fri, 13 Feb 2009, Martin Langhoff wrote:
>
> > On Thu, Feb 12, 2009 at 11:54 PM, Simon Schampijer <simon at schampijer.de>
> wrote:
> >> Plan A - HTTPS to the rescue
> >> Just to understand better.
> >>
> >> Is the main issue that we have to change the protocol - or are you more
> >> worried about the CPU cost?
> >
> > Both. And also HTTPS network load, as HTTPS is a lot less cache-friendly.
>
> note that if the XS is acting as a proxy the cache issue can be addressed.
> The XS can get a copy of the XO client cert at registration time, and with
> it can decrypt the HTTPS traffic and cache the unencrypted version. this
> is a lot of cpu, but it's on the XS not the XO, so it shouldn't be as bad
> (and there are hardware SSL encryption cards available that can be put in
> an XS for high-volume situations)
>
> it's not just a matter of downloading a package and installing it, but
> it's not rocket science either.
>
> this would have the side effect of making the XS security even more
> critical, but I think that it's already critical enough that this won't
> really make much difference in how it's secured.
>
> David Lang
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel
>



-- 
"It is difficult to get a man to understand something, when his salary
depends upon his not understanding it." -- Upton Sinclair
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20090212/51ab644a/attachment.html>


More information about the Devel mailing list