savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Stay in https after login?

From: Bob Proulx
Subject: Re: [Savannah-hackers-public] Stay in https after login?
Date: Fri, 3 Jan 2014 15:18:02 -0700
User-agent: Mutt/1.5.21 (2010-09-15) 
Sylvain wrote:
> Bob Proulx wrote:
> > > To me this is a bug.
> > 
> > Which part of it?  There were several things mentioned.
> 
> The only non-sensible one : that _un_checking 'stay in https' stays in
> https nonetheless.

Well...  That technically may be a bug but it is one of those bugs
that would never be noticed.  Because with the previous push to https
that is generally what we want it to do.

It would be worse if it failed the other direction and when https was
desired it kicked the user back to http.  That way would be the bad
case.  I am sure that would have been noticed.

However you had said the need case was for a site that restricts
access to all but a whitelisted set of domains and gnu.org was not in
that whitelist.  In such an environment savannah would need to *never*
access https in order to allow a login.  That is different
functionality than switching from https to http after login.  Even if
the switch from http-to-https worked the restricted site would not be
able to log in due to the https block.  Therefore I don't see the
utility of a switch back to http feature.  For your use case it would
need to allow logging in using http which opens the security hole of
sending passwords in clear text.

At one time it was generally thought that if everyone used https that
the encryption would load down a server.  That is why many sites
logged in with https but then switched to http.  Then they would
require an https login again before doing anything that required
security.  But as time has gone by hardware has gotten faster and
using https all of the time is now generally thought not to be a
server load concern.  The https is currently required and frontend
hasn't been suffering load problems.  (vcs has but that is a different
server.)

> But actually it's not a bug : this checkbox creates a cookie that make
> the browser auto-switch to https when they open http://savannah.gnu.org.
> Unchecking the box does not set that cookie.

Are you saying that you can make this switch back to http for you?  I
can't.  It always stays in https from my testing.

> > > There may be a conflict between the choice of the checkbox and a)
> > > HTTPSEverywhere plugin and/or b) a previous Savane cookie requesting
> > > to switch to https.
> > 
> > I am not sure what you are trying to say here.  The HTTPSEverywhere
> > plugin isn't needed for accessing Savannah since Savannah already
> > switches users to https without the plugin.
> 
> HTTPSEverywhere switches to https whatever you do and can mess-up
> one's interpretation of this checkbox behavior.

I don't have HTTPSEverywhere installed in my browser.  So this
particular issue won't be affecting me.  Which now I assume is what
you are saying.  Nor should cookies be a problem either.

I found a machine that has never visited savannah before ever.  I hit
the login.php page using http.  I unchecked the stay in https box.  I
logged in.  After logging in the connection remained in https mode.  I
verified that no browser plugins were installed.  It was a stock but
current Firefox.

Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]