[Kolab-devel] http without s access to issues.kolab.org (bugzilla)

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Fri Dec 2 16:34:52 CET 2011 

On 2011-12-02 14:45, Bernhard Reiter wrote:
> Am Friday, 2. December 2011 15:27:30 schrieb Christoph Wickert:
>> I have seen this in some organizations but IHMO this is a problem of 
>> their
>> firewalls rather than of our bugzilla.
>
> Sure it is, but also we also want to lower the barrier
> for anyone contributing. And a too high barrier is our problem not 
> theirs.
>
>> Please note that we have single sign for our employees and partners 
>> (this
>> includes your account)
>
> Good to know, I probably knew and forgot. This clearly speaks in 
> favour
> of forcing https for the login.
>
> I personally would use https whenever I log in.
> Maybe I even use a different account, because a public facing perl
> system like bugzilla will not have the security level like a 
> production email account
> on the administration side.

Surely, you must be joking.

I've pointed to three out of many examples where plain-text is allowed 
by default, for Kolab Groupware production email accounts -a groupware 
solution I believe you use as well- and you tell me a Bugzilla 
installation, while enforcing HTTPS, is a security concern to you?

> So for me the single sign on here is not
> necessary.
>

You'll be pleased to know there's no single sign-on then. We have 
reduced sign-on, simply by the concept of hooking everything up to a 
single authentication and authorization database -for as far as our 
production environment goes.

It is therefore possible to enforce a minimal level of security across 
the board, without any of it becoming too much of a hassle for the 
consumers of said environment.

> Again, the case for just looking at issues should not require https.
> Other concious users should have the option to not use their high 
> value
> password over http only. Ideally we also pay the common-ca-tax one 
> day.
>

No, we're not going to arbitrarily distinguish between users and 
security-concious users, allowing either to choose either HTTP or HTTPS. 
What that is concerned, it's not unlike, say, http://roundup.kolab.org

Now, getting a certificate for kolab.org as an Open Source project is 
feasible. I understand that with you, we have a volunteer to cough up 
the approximate 1000 euros for a 10-year (IIRC) wildcard certificate.

Kind regards,

Jeroen van Meeuwen

-- 
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +44 144 340 9500
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the devel mailing list