What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6

David Miller justdave at bugzilla.org
Wed Aug 19 23:58:49 UTC 2009


Marc Schumann wrote on 8/19/09 4:25 PM:
> I gather that we should log in *from* an
> encrypted page, though, and since this means every page allows a log
> in now, every page must be encrypted. Can you shed some light on why
> this is so? Why can't we log in from an unencrypted page, moving to
> SSL just when logging in? Is it some man-in-the-middle thing?

Yes.  If you got man-in-the-middled on your way to the http page, you'd
never know, and you have no proof the form is going to submit to an
https destination without viewing the source.  If the form is https to
begin with then you have the certificate validation to know you got the
form itself from the trusted source as well.

-- 
Dave Miller                                   http://www.justdave.net/
System Administrator, Mozilla Corporation      http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/



More information about the developers mailing list