Re: Sites hosted on gudrun are now https-only

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, 21 Oct 2012 22:32:07 +0200
Thomas Bächler <thomas@xxxxxxxxxxxxx> wrote:

> Out of curiosity, what is the motivation for this change?

I wonder too, if you have some server side PHP or cgi, then enforcement
is far better via a persistent redirect, MITM is not prevented in either
case.

From experience of a friend of mine having boot trouble with linux
fsck, (a problem OpenBSD does not have) with a dead laptop and bios
battery. Any machine with a wrong clock (many more than you think,
despite ntp) will be denied service with little gain in security
over a PHP enforced redirect (except making the attacker proxy no ssl or
a similar rather than same domain, you could argue a smaller window
after first connect but considering the constant exploits for browsers
and a MITM, does it buy you anything except deny some users access when
pacman uses gpg).

SSL RFCs knew this and state that except for higher level protocols
standard SSL does not require a correct clock. I won't deny any
customers access to my sites for the sake of HSTS, in any case. If the
data about lost customers is discovered by the likes of Paypal, I will
expect it to be promptly switched off or modified for compliance like
the terrible DNSSEC saga.


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux