Martin, I want to understand what https traffic you are concerned will affect performance and caching. As far as I understand the need for https, it would only be used infrequently, when reauthenticating to the server. I.e..:<br>
<br>1. XO connects to Moodle without valid cookie and is redirected to https login.<br><br>2. https client cert is exchanged, and cookie of limited duration is planted).<br><br>3. XO connects to Moodle, cookie is valid, no redirection needed.<br>
<br>There might be particular use cases where the data in transit needed to be protected against snooping, but a use case analysis needs to be done to identify these. I can't imagine that it would be needed in day-to-day classroom use by students. <br>
<br><div class="gmail_quote">On Thu, Feb 12, 2009 at 6:55 AM, <span dir="ltr"><<a href="mailto:david@lang.hm">david@lang.hm</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Fri, 13 Feb 2009, Martin Langhoff wrote:<br>
<br>
> On Thu, Feb 12, 2009 at 11:54 PM, Simon Schampijer <<a href="mailto:simon@schampijer.de">simon@schampijer.de</a>> wrote:<br>
>> Plan A - HTTPS to the rescue<br>
>> Just to understand better.<br>
>><br>
>> Is the main issue that we have to change the protocol - or are you more<br>
>> worried about the CPU cost?<br>
><br>
> Both. And also HTTPS network load, as HTTPS is a lot less cache-friendly.<br>
<br>
</div>note that if the XS is acting as a proxy the cache issue can be addressed.<br>
The XS can get a copy of the XO client cert at registration time, and with<br>
it can decrypt the HTTPS traffic and cache the unencrypted version. this<br>
is a lot of cpu, but it's on the XS not the XO, so it shouldn't be as bad<br>
(and there are hardware SSL encryption cards available that can be put in<br>
an XS for high-volume situations)<br>
<br>
it's not just a matter of downloading a package and installing it, but<br>
it's not rocket science either.<br>
<br>
this would have the side effect of making the XS security even more<br>
critical, but I think that it's already critical enough that this won't<br>
really make much difference in how it's secured.<br>
<br>
David Lang<br>
_______________________________________________<br>
Devel mailing list<br>
<a href="mailto:Devel@lists.laptop.org">Devel@lists.laptop.org</a><br>
<a href="http://lists.laptop.org/listinfo/devel" target="_blank">http://lists.laptop.org/listinfo/devel</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair<br>