[Sugar-devel] [PATCH] webactivity: seed the XS cookie at startup

Martin Langhoff martin.langhoff at gmail.com
Thu Feb 12 06:09:30 EST 2009


On Thu, Feb 12, 2009 at 11:54 PM, Simon Schampijer <simon at schampijer.de> wrote:
> Plan A - HTTPS to the rescue
> Just to understand better.
>
> Is the main issue that we have to change the protocol - or are you more
> worried about the CPU cost?

Both. And also HTTPS network load, as HTTPS is a lot less cache-friendly.

> So as I understand the process: At registration time with the XS the cert is
> created and transferred to the client. Probably stored than in the profile.
> Browse does than integrate it when it starts. The cert integration itself in
> Browse should not be hard.

You are right, it shouldn't be hard if you "seed" it in the same way
my patch is seeding the cookies.

Carol pointed out another alternative a couple of emails ago. Seems to
sidestep the registration rework, but may be complex to implement.

But I'm more than happy with my simple Plan C :-) - which is about as
safe as gmail over http as most people use everyday!

cheers,



m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff


More information about the Sugar-devel mailing list