[OSGeo-Edu] website clean-up

Daniel Brookshier dbrookshier at collab.net
Sun Apr 23 17:10:54 EDT 2006 


On Apr 23, 2006, at 9:41 AM, Markus Neteler wrote:

>
>> 2. Why is the website (edu.osgeo.org and its siblings) under secure
>> http? I can understand using https when editing, but for normal  
>> viewing
>> public, what good does https serve? Are there any
>> disadvantages/advantages to this?
>
> Good question. I have cc'ed to the OSGeo community manager Daniel
> who may comment on that. For the the https access appears to be  
> slower.


This is part of the security model. Simply there are private projects  
and other areas that need to be secured. The simplest explanation is  
that because of the software, there is no clear demarcation between  
secure and non-secure projects or parts of projects. This is further  
complicated by the role a user has that secures parts of the site and  
even parts of a project from a user with a role. So, it depends on  
your role of what you see, but by keeping the entire system locked up  
with https, no one can see what you are looking at. Turning on and  
off https would be tricky and harder to ensure it was secure.

The security model is not something you just turn on/off. Total  
security integrity is the key here. The sacrifice of https overhead  
is minor compared to the integrity. If you can turn it off for part  
of the site, you can also make the mistake of turning it off in the  
wrong place. Ask any security expert and they will say secure it all  
(and then unplug it from the internet).

The fact that you can see the site at all is a special case for this  
publicly accessible site. There is a default 'guest' id that has  
specific permissions. When you hit the site without logging it, you  
get logged in as guest and off you go.


Besides control of the site features, you might ask, what needs such  
bullet proof security? Well this is not national defense, but the  
software is built to do that and is used by big corporations and  
government for highly secure projects. CollabNet keeps its costs down  
by using the same software for open source communities like OSGeo and  
OpenOffice as they do for the department of defense and companies  
like HP. Because we have to go through rigorous audits, the software  
as a system is deployed only one way to ensure it maintains integrity.

So, overkill? Not really. A little inefficient, but all in the name  
of high security.

More information about the Edu_discuss mailing list