Apache OpenOffice (AOO) Bugzilla – Issue 35068
SSL should be supported when entering username and password
Last modified: 2008-11-06 21:10:49 UTC
SSL should be supported when entering username and password, e.g. for IssueZilla.
reassigning to support
This will require a reconfiguration of the site as well as some other details. I have opened an internal issue to figure out what exactly is necessary to get this accomplished.
If we implement SSL for the site it is an all or nothing proposition, we cannot simply add it for the Login screen. Is this acceptable?
Hold on. I don't think this is acceptable. If we require SSL for all accesses to the site, that would include not only search engine crawlers, casual users, but also mail list archive duplicators such as Gmane, to name but a few. Therefore, I think this is a bad idea, unless I am mistaken in its import. Louis reassigning to floeff
Hey there! I agree, activating SSL as an obligation for the whole site does *not* make sense. The costs of the certificates, some users might be irritated, etc. However, I still consider it a security risk logging on over an unencrypted session. Maybe something like SourceForge did can be done? They have a SSL logon page, and the rest is normal unencrypted content. If someone sniffs that password, (s)he can do a lot, at least with certain accounts.
I tend to agree that we should use more sophisticated passwords. We can easily change the criteria for passwords--that's not hard--and it may make sense. Why we didn't, at the very start, was because we rely on the security provided by CVS/ssh2 for the website & source. In other words, a malfeaser who has sniffed my password can be annoying but that's about it. Still. I like being paranoid in advance and am referring this now to Stefan. Stefan: should we make the passwords more difficult? Also changing the summary. cheers, Louis
I guess that this does not solve the problem. I might have the most complex password out there. However, if someone sniffs over the unencrypted connection, (s)he has this password and can do whatever (s)he wants, including uploading to the website. Imagine someone sniffing my password and then uploading warez or pornography. I consider it a serious security risk.
I understand the problem and the failure of solution. However, absent nixing the entire site to use SSL, this is the best we can do ;( . best, Louis
Is there really no alternative? Maybe by a SSL protected logon page on a subdomain? Or, alternatively, logging on via SSL certificates?
Let's come back to the intial request. I changed the title back to "SSL should be supported when entering username and password". SourceForge is not the only example, there are others like Yahoo, ... Difficult passwords are no solution to wiretapping. I have a question about enabling SSL. I guess users logging in via SSL would continue a SSL session. But at the same time other users could access the site via plain HTTP. Is that correct?
I don't know about the technical configuration of the openoffice.org servers, but in general it should be possible to redirect someone who wants to login to https://login.openoffice.org and after verifying his credentials, refering him back to http://www.openoffice.org/some/path/
Queried engineering about st's last question.
I saw that there was an update to this issue in the internal ticket. As was said earlier, it's all or nothing-- currently, sourcecast supports SSL that way (unfortunately). There is a significant performance penalty associated with using SSL; it seems there's a 5x slowdown in page views and a large increase in CPU and memory utilization as well.
The engineers are still working on this issue. We will update you with the status of this issue when there is more substanial information to be given. Regards, Ramya Support Operations
I have updated the internal ticket to explicitly call out the enhancement request of SSL-enabling just the Login servlet.
Has this been integrated into CollabNet EE 3.5.1?
To CRM
After careful review/investigation on this request with our all future roadmaps, functionality, and options we were unable find an area this request can be applied to our future goals. If you would like this request to be considered/implemented by our Services team they would be willing to create a Statement of Work (SOW) for a fee. Thank you for your valuable feedback and we hope you will continue to collaborate and send our team your enhancement requests for we do review and value every one. Resolving this issue as Wont-Fix .
I think this is a major security issue and should be fixed...
close the invalid issue