Wiki & SSL
Phillip Susi
psusi at cfl.rr.com
Fri Oct 8 18:39:23 UTC 2010
On 10/8/2010 1:20 PM, Lucian Adrian Grijincu wrote:
> Yes, but what protection does this bring if:
>
> * the speaker enters "wiki.ubuntu.com" in the browser (default to HTTP)
>
> * the attacker does NOT redirect to a SSL site and just presents a
> (malicious) HTTP page
>
> * the speaker has no clue that wiki.ubuntu.com should normally be on HTTPS
My thoughts exactly. This is an extraordinarily contrived reason to
always use ssl. Not to mention that ANY site that says to add a
repository hosted on some random server you have never heard of should
probably cause you to think twice. If it would be that obvious to
people watching changes to the wiki, it should be just as obvious to
someone reading it.
Now that I think about it though, why is the page not cached? Is it
because the server is setting the no cache flag, or because the browser
refuses to cache documents fetched with ssl? If the former, then
changing that would help the matter quite a bit while still using ssl.
The load on the server could also be reduced by using null encryption
when sending to the client, or does it have to use the same encryption
both directions? I suppose you do want any password the client sends to
be encrypted.
More information about the Ubuntu-devel-discuss
mailing list