On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote: > For the rest we make them non-ssl'd. The openid login, of course > would be ssl'd, but the rest of the site doesn't really need to be, > does it? I guess if fedorahosted is not used via HTTPS, attackers could easily make users not use HTTPS for the openid login by tampering the response from fedorahosted. Also there is probably a session cookie involved that is validated via openid, this could still be used by attackers to access fedorahosted with the privileges of the original user. Regards Till _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
