Previous Entry Share Next Entry
Secure login: check
jducoeur wrote in querki_project
Progress towards Alpha continues. I'll have a release to report on shortly, but in the meantime Aaron has made the necessary tweaks so that login is HTTPS-based. That's a small but important detail -- most users don't even think to look for it, but login pages should *always* be HTTPS, or else using the system in a coffee shop becomes stupidly risky.

I will note that, for the moment, we're *not* using HTTPS across the board, and those who are deeply security-conscious should take note of that. Frankly, that is solely a matter of money: HTTPS winds up causing you to have to send a lot more traffic, and that's challenging while I'm still paying for this whole thing out-of-pocket. Sometime after we have some revenue (and know what our data flows and expenses really look like), we might revisit the question. Personally, I *like* all-HTTPS sites (and yes, there are good reasons for it), but we can't take the investment too casually. So if you care deeply about this, please squirrel the question away, and raise it again next year, when we'll be prepared to have that conversation more seriously...

  • 1
Hmm. I too really like all-https sites. And computationally the overhead isn't what it used to be, but I was unaware of the traffic overhead. Do you have any pointers to data on that? Clients have asked for some breakdowns as to the differences. For my purposes the data usually doesn't matter too much, but being aware of it is a good thing.

I don't offhand -- that's my understanding of what would happen under Apache. It doesn't astonish me -- I could see that as a side-effect of each session having its own crypto keys, depending on how the protocol works -- but it's a good point that we should sanity-check that...

This thread on SO is pretty informative on the subject, and at least somewhat backs up what I was told. Basically, it says that many browsers don't do local caching of content from HTTPS sessions, and most shared-cache systems don't.

It's almost certainly worth our while to profile (Querki is so far less image-intense than most sites), and it's quite possible that we'll set things up to *allow* all-HTTPS, even if we don't default to/require it for some time yet. We'll see...

Given that the thread is 5 years out of date, I wonder if it holds true. Let me know if you do run a profiling test, I'm very curious to know the results.

  • 1

Log in

No account? Create an account