[Sugar-devel] [PATCH] webactivity: seed the XS cookie at startup

Martin Langhoff martin.langhoff at gmail.com
Fri Feb 13 05:51:02 EST 2009


On Fri, Feb 13, 2009 at 7:07 AM, Carol Farlow Lerche <cafl at msbit.com> wrote:
> Martin, I want to understand what https traffic you are concerned will
> affect performance and caching.  As far as I understand the need for https,
> it would only be used infrequently, when reauthenticating to the server.
> I.e..:

What you describe was the plan B in my earlier postings. It first does
crypto, and then falls back to a totally MITM'able cleartext cookie.
So the crypto is just a lot of programming work for a tiny gain.

>From a security standpoint, we either do https with client side cert,
or we relax and use plaintext cookies.

cheers,


m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff



More information about the Devel mailing list