Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

[gremlin () gremlin ru]

On 03-Aug-2014 12:19:49 -0400, Donald Stufft wrote:

> > Simple question: who do you trust more - your ISP or site owner?
> > Or should I ask whether you trush either of them?
> This is a nonsensical point too. I have to trust the site owners
> to some degree. To what degree broadly depends on what the site
> itself does however at the very least they'll be able to see
> what account I'm attempting to use.

Or unable to see that unless _you_ deside to log in.

Together with disabling cookies by default and wiping them on
a regular basis, that may be wise (depending of the sites you
visit, of course).

> With enforced HTTPS and HSTS I don't have to trust my ISP.

You should either trust them or avoid signing the contract :-)

However, if you suspect them in something unpleasant, you may
enforce HTTPS on _your_ side, using it everywhere (with sites
that support it).

Also, self-signed certificates (or own CA) is safer for your
users than any third-party: when a server certificate changes
without previous notice, user may be absolutely sure something
went wrong.

> > When a site allows anonymous access, that may be performed
> > via HTTP. Authenticated (over HTTPS) users may (and normally
> > should) work via HTTPS, but forcing all users to use HTTPS
> > is "a VERY bad idea" // (q) Kurt Seifried, 2014-08-03
> What is the downside to forcing HTTPS.

Is this a question?

Well, now I have a non-trivial answer to it: I've faced the error
"ssl_error_no_cypher_overlap" several times when trying to access
such HTTPS-only sites, and, instead of getting there "insecurely",
I was unable to get there at all.

Yes, I use modern OpenSSL version built without support for weak
algorithms.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net