[Bug 695857] Re: ssl protection not default for sensitive packages
Clint Byrum
clint at fewbar.com
Mon Jan 3 22:34:40 UTC 2011
Hi janl. This makes a lot of sense, and it just needs some questions
answered before it can go into the confirmed wishlist:
1) If SSL is not installed, but somebody installs webapp foo, should we
then go ahead and allow it to be served via clear HTTP? SSL requires
some setup and possibly acquiring a 3rd party signed certificate,
whereas users inside a LAN may want to allow port 80 access.
2) How does a user specify that they want a service to be insecure? Its
entirely possible that a service is sitting behind an SSL accelerator
and so does not need port 443.
3) Should the apps, if they need protection, just mark themselves as
requiring ssl by having SSLRequireSSL in their default configuration?
Answer those in the bug description, and then we can change the status
to Confirmed.
Marking Incomplete pending answer to the 2 questions above. Setting
Importance to Wishlist.
** Changed in: apache2 (Ubuntu)
Status: New => Incomplete
** Changed in: apache2 (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.
https://bugs.launchpad.net/bugs/695857
Title:
ssl protection not default for sensitive packages
More information about the Ubuntu-server-bugs
mailing list