oss-sec mailing list archives
Re: CVE Request: Enforce use of HTTPS for MathJax in IPython
From: gremlin () gremlin ru
Date: Tue, 5 Aug 2014 15:29:10 +0400
On 03-Aug-2014 12:19:49 -0400, Donald Stufft wrote:
Simple question: who do you trust more - your ISP or site owner? Or should I ask whether you trush either of them?This is a nonsensical point too. I have to trust the site owners to some degree. To what degree broadly depends on what the site itself does however at the very least they'll be able to see what account I'm attempting to use.
Or unable to see that unless _you_ deside to log in. Together with disabling cookies by default and wiping them on a regular basis, that may be wise (depending of the sites you visit, of course).
With enforced HTTPS and HSTS I don't have to trust my ISP.
You should either trust them or avoid signing the contract :-) However, if you suspect them in something unpleasant, you may enforce HTTPS on _your_ side, using it everywhere (with sites that support it). Also, self-signed certificates (or own CA) is safer for your users than any third-party: when a server certificate changes without previous notice, user may be absolutely sure something went wrong.
When a site allows anonymous access, that may be performed via HTTP. Authenticated (over HTTPS) users may (and normally should) work via HTTPS, but forcing all users to use HTTPS is "a VERY bad idea" // (q) Kurt Seifried, 2014-08-03What is the downside to forcing HTTPS.
Is this a question? Well, now I have a non-trivial answer to it: I've faced the error "ssl_error_no_cypher_overlap" several times when trying to access such HTTPS-only sites, and, instead of getting there "insecurely", I was unable to get there at all. Yes, I use modern OpenSSL version built without support for weak algorithms. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Current thread:
- CVE Request: Enforce use of HTTPS for MathJax in IPython Kyle Kelley (Jul 31)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython gremlin (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython Donald Stufft (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython Kurt Seifried (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython gremlin (Aug 03)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython Donald Stufft (Aug 03)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython gremlin (Aug 05)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython Donald Stufft (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython gremlin (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython gremlin (Aug 02)
- Re: CVE Request: Enforce use of HTTPS for MathJax in IPython Donald Stufft (Aug 03)