Fwd: [OSGeo-Edu] website clean-up
Markus Neteler
neteler.osgeo at gmail.com
Sun Apr 23 15:01:34 EDT 2006
Here the lost email from Daniel.
---------- Forwarded message ----------
From: Daniel Brookshier <dbrookshier at collab.net>
Date: Apr 23, 2006 6:21 PM
Subject: Re: [OSGeo-Edu] website clean-up
To: Markus Neteler <neteler.osgeo at gmail.com>
Cc: discuss at edu.osgeo.org
On Apr 23, 2006, at 9:41 AM, Markus Neteler wrote:
>
>> 2. Why is the website (edu.osgeo.org and its siblings) under secure
>> http? I can understand using https when editing, but for normal
>> viewing
>> public, what good does https serve? Are there any
>> disadvantages/advantages to this?
>
> Good question. I have cc'ed to the OSGeo community manager Daniel
> who may comment on that. For the the https access appears to be
> slower.
This is part of the security model. Simply there are private projects
and other areas that need to be secured. The simplest explanation is
that because of the software, there is no clear demarcation between
secure and non-secure projects or parts of projects. This is further
complicated by the role a user has that secures parts of the site and
even parts of a project from a user with a role. So, it depends on
your role of what you see, but by keeping the entire system locked up
with https, no one can see what you are looking at. Turning on and
off https would be tricky and harder to ensure it was secure.
The security model is not something you just turn on/off. Total
security integrity is the key here. The sacrifice of https overhead
is minor compared to the integrity. If you can turn it off for part
of the site, you can also make the mistake of turning it off in the
wrong place. Ask any security expert and they will say secure it all
(and then unplug it from the internet).
The fact that you can see the site at all is a special case for this
publicly accessible site. There is a default 'guest' id that has
specific permissions. When you hit the site without logging it, you
get logged in as guest and off you go.
Besides control of the site features, you might ask, what needs such
bullet proof security? Well this is not national defense, but the
software is built to do that and is used by big corporations and
government for highly secure projects. CollabNet keeps its costs down
by using the same software for open source communities like OSGeo and
OpenOffice as they do for the department of defense and companies
like HP. Because we have to go through rigorous audits, the software
as a system is deployed only one way to ensure it maintains integrity.
So, overkill? Not really. A little inefficient, but all in the name
of high security.
More information about the Edu_discuss
mailing list