[SAC] Re: [OSGeo] #281: Redirect trac http to https

#281: Redirect trac http to https
  Reporter: timlinux | Owner: sac@lists.osgeo.org
      Type: task | Status: new
  Priority: normal | Component: SAC
Resolution: | Keywords:
Comment (by crschmidt):


Trac uses somewhat aggressive cookie-based caching that is sometimes
somewaht difficult to get around. Sometimes, even after logging in, you'll
still get an old "Permission Denied". The reason that switching to HTTPS
fixes this is not because of something inherent in HTTPS, but simply
because it's a *different* URL: If you were to make everything HTTPS, you
would (I expect) see the same behavior.

SSL requires additional round trips to the server: Frank is on a
connection which is very high latency (which low bandwidth can cause, but
generally doesn't directly) -- for Satellite, this latency is often in the
.75s-1.5s range, which is a very different than the latency even on very
slow connections. (Dialup is typically only in the 250ms range, for
example.) So, there is definitely a possibility that Frank's connection
would be a 'worst case scenario' for this.

I don't think that any of us are directly advocating for not making the
login step HTTPS, simply ensuring that if you start at HTTP, login via
HTTPS, you can still do your 'work' in HTTP: there is no particular
security risk with this because trac doesn't use passwords directly other
than for logging in. (It uses a cookie system to manage after that.)

Hopefully this helps address some of the concerns here. I think that the
main fix at the moment would be to change the 'login' links to always be
HTTPS, so that users are typically sent through that mechanism.

Ticket URL: <https://trac.osgeo.org/osgeo/ticket/281#comment:4&gt;
OSGeo <http://www.osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.