Wiki & SSL
Clint Byrum
clint at ubuntu.com
Fri Oct 8 17:02:54 UTC 2010
On Oct 8, 2010, at 8:38 AM, Phillip Susi wrote:
> wiki.ubuntu.com forces you to use an SSL connection via automatic
> redirect to https. Why does it do this, and can we stop that please?
> There is no reason for using SSL to access a public web site when you
> are not logged in. It only serves to slow things down, prevent caching,
> and put a lot more load on the server.
>
There are some very good reasons to have the wiki on SSL.
Lets say you are at a conference where a speaker suggests going
to wiki.ubuntu.com to read a page about XYZ feature.
Some nefarious person who hears this can very quickly setup a DNS
cache poisoning to redirect those requests to his server where he
rewrites the page to include directions to add a PPA where he has
uploaded evil packages that take over peoples' machines.
Yes its a wiki so this person could do that by logging in and
changing it, but wiki pages have subscribers and so there will be
at least some chance of early detection.
With SSL, this will at least show some very serious warnings about
the SSL certificate. Even if he just redirects from the http port
on wiki.ubuntu.com to https on his evil server, he will have to
change the name, and the attack has yet another chance of being
thwarted.
More information about the Ubuntu-devel-discuss
mailing list