-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/05/2012 09:06 PM, Jeremy Austin wrote:
> On Mon, Mar 5, 2012 at 6:45 PM, Christopher Howard
> <christopher.howard@frigidcode.com> wrote:
>
>> That argument can go around and around, but keep coming back to
>> the original requirements. =A0Then, we see that answer to your
>> question is irrelevant, because the absolute requirement was
>> bypassed so badly that the model was broken. =A0We're not using
>> the SSL security model, and haven't been since 1995. =A0So you
>> can do whatever you like, or more practically, whatever you feel
>> you can get away with (think about the dozens of connections that
>> modern portals fire up, and outsourced payment processors and
>> google tools and ...).
>
> We're not using the model at all? This sounds a little FUDdy to me.
> I see more and more web sites using the correct model, as I
> understand it, where the entire session is encrypted; Facebook,
> Gmail, Twitter, etc. Definitely trending in the right direction.
>
> jermudgeon ---------
I can't speak to long term trends, but my personal experience in this
area has been pretty bad. For example, /many/ sites I have
encountered, such as linuxquestions.org, encrypt the delivered page,
but all the static content (images, css, et cetera) is passed through
a subdomain that does not have SSL support and so those parts are
unencrypted. Amazon.com won't even allow you to use HTTPS until you
get to the cart.
Some sites are rather deceptive about it as well. For example, if you
go to YouTube it will appear as though the connection is fully
encrypted, but actually the video is being pulled in over HTTP by the
JavaScript. (At least, in HTML5 mode -- presumably it is the same with
Flash.)
Try browsing with strict HTTPS enforcement for two or three days and
you'll be pretty amazed at how bad things are. (NoScript plugin has
HTTPS enforcement capabilities, including enforced encrypted cookie
support.)
- --
frigidcode.com
indicium.us
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPVa/7AAoJEI2DxlFxTtgdpgMIAJ5Y7UZgmG2Ykf7MjptyEKJZ
4YxcObzJuQ4dG7W/L9sgpby3g3C8ZlSAY+3MOoanvSJJaiOKWqNMbFPBxQTEZGPr
gJqe1QYqi0aGd0Az1eaHxxtLWN7aM0zvDAXT6G0b7jTVTqD6fnSFSXnoBah51kNn
0+z6La8mkyIkyVW0O8PCtLeLmbsswO0zq9Rvr72ORaKf5YiLWDBcg33JjTumibEw
jGS+8p55yEVECgmjZEtKjNph2oyRk3aVKgykHo3S19YkNoKAB+8FLx7gTjzMr25o
SsluNFefGuUdwuHXqX2OfoSwqoK4lmsaw2vyPlfhV4S9gYykPCugyilQwaDp9NU=
=IBhQ
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 5 21:31:41 2012
This archive was generated by hypermail 2.1.8 : Mon Mar 05 2012 - 21:31:41 AKST