I've posted some comments in the same thread over at Einstein.
Basically if you switch to https most proxy servers will act as pass thru which means they lose their caching ability. I would suggest only certain bits of the system use https (eg scheduler, website logon) rather than the whole lot.
I've posted some comments in the same thread over at Einstein.
Basically if you switch to https most proxy servers will act as pass thru which means they lose their caching ability. I would suggest only certain bits of the system use https (eg scheduler, website logon) rather than the whole lot.
That is certainly a point to consider, but OTOH, what caching would be affected by this exactly?
For the forum, no caching by the proxy is useful and therefore none should be allowed anyway (you don't want to get a view of the forum as it was minutes ago...it has to be "live"). Also, just having the logon page secured but then later transfer the session credentials (cookies etc) in plain text doesn't help security: it might help against intercepting the password but not against hijacking a session ...
The other big remaining family of web accesses would be downloads. For a single host per proxy, downloading the same file more than once should be a rare thing. But yes, this might be an issue for big "farms" that share one caching proxy. We could indeed exempt those downloads from https.
I've posted some comments in the same thread over at Einstein.
Basically if you switch to https most proxy servers will act as pass thru which means they lose their caching ability. I would suggest only certain bits of the system use https (eg scheduler, website logon) rather than the whole lot.
That is certainly a point to consider, but OTOH, what caching would be affected by this exactly?
For the forum, no caching by the proxy is useful and therefore none should be allowed anyway (you don't want to get a view of the forum as it was minutes ago...it has to be "live"). Also, just having the logon page secured but then later transfer the session credentials (cookies etc) in plain text doesn't help security: it might help against intercepting the password but not against hijacking a session ...
The other big remaining family of web accesses would be downloads. For a single host per proxy, downloading the same file more than once should be a rare thing. But yes, this might be an issue for big "farms" that share one caching proxy. We could indeed exempt those downloads from https.
Cheers
HB
The main one to exempt would be downloads. We'd want all those data files to be cached if possible.
With the website, I would guess (haven't checked) that the cookie is set when user logs on and gets deleted at log off. Does it change for every page served? Does it change during a session? Does it need to be protect seeing as its already on the users pc.
With the website, I would guess (haven't checked) that the cookie is set when user logs on and gets deleted at log off. Does it change for every page served? Does it change during a session? Does it need to be protect seeing as its already on the users pc.
See my message over at Einstein@Home. For best security, you will want to have the whole session under HTTPS, not just the logon page.
I've posted some comments in
)
I've posted some comments in the same thread over at Einstein.
Basically if you switch to https most proxy servers will act as pass thru which means they lose their caching ability. I would suggest only certain bits of the system use https (eg scheduler, website logon) rather than the whole lot.
RE: I've posted some
)
That is certainly a point to consider, but OTOH, what caching would be affected by this exactly?
For the forum, no caching by the proxy is useful and therefore none should be allowed anyway (you don't want to get a view of the forum as it was minutes ago...it has to be "live"). Also, just having the logon page secured but then later transfer the session credentials (cookies etc) in plain text doesn't help security: it might help against intercepting the password but not against hijacking a session ...
The other big remaining family of web accesses would be downloads. For a single host per proxy, downloading the same file more than once should be a rare thing. But yes, this might be an issue for big "farms" that share one caching proxy. We could indeed exempt those downloads from https.
Cheers
HB
RE: RE: I've posted some
)
The main one to exempt would be downloads. We'd want all those data files to be cached if possible.
With the website, I would guess (haven't checked) that the cookie is set when user logs on and gets deleted at log off. Does it change for every page served? Does it change during a session? Does it need to be protect seeing as its already on the users pc.
RE: With the website, I
)
See my message over at Einstein@Home. For best security, you will want to have the whole session under HTTPS, not just the logon page.
Cheers
HB