[MLB-WIRELESS] Melbourne Wireless site and SSL.

Steven Haigh netwiz at crc.id.au
Mon Jul 23 07:39:07 EST 2012 

On 2012-07-23 00:39, Tyson Clugg wrote:
> Steve, you're misrepresenting what was discussed.

We'll have to agree to disagree there.

> You acted without authority by prematurely making the switch in spite
> what was said by our elected President.

I think the time frame is a little out there. I enabled SSL, tested it 
over several days, then added the redirect. It was only when I emailed 
the coders list that anyone even noticed the change had been made. The 
discussion between myself and Tyson took place AFTER everything was 
already functional. I have never been aware of any other process we have 
used for web development - including changes to the operational aspects 
of the web site.

> I'm not against us switching to SSL, it makes a lot of sense to do so
> for *authenticated* actions on our website.  But *not* with the
> minority SSL root certificate authority you installed.

I think you have been the only one calling these guys a 'minority' 
provider because you are the first person that has had a device that 
didn't work with it. Yes, your single device doesn't work. I would 
personally like you to file a bug report with Nokia to help out all 
Nokia users that suffer this. It is 100% Nokias fault - as the root CA 
in question has been in the approved root CA bundle for well over 5 
years (XP SP3 is the earliest I can personally verify).

> And it still doesn't make sense to *force* SSL for all traffic, when
> 99% of our traffic is by anonymous users for *public* content.

You keep saying it doesn't make sense - but at no point have I seen any 
reasons WHY it doesn't seem to make sense. Are we against using SSL just 
because its something new for us? Is it considered a bad thing to secure 
against eavesdropping? Is it a bad thing to secure against traffic 
loggers? Is it a bad thing to look after our users?

You wouldn't do mail without SSL. It's not a huge step to want to do 
browsing over SSL by default (in fact, I'd prefer a web that worked this 
way!). Keep in mind that the internet is the very definition of a 
hostile network. Any method to make things a little more secure should 
be taken.

You also seem to keep thinking that just because it is public content 
it shouldn't be secured IN TRANSIT. That is what we are discussing here 
- not trying to keep information private.

Oh, and as I mentioned before - the side benefit of all this is that 
because everything pointed to ONE location (being 
https://www.melbournewireless.org.au/$1), the ranking of Melbourne 
Wireless within Google went from ~#7 to #1 for the search term. As such, 
I still fail to see the down side - as MORE people should see our 
content in the configuration I had vs what we had over the last several 
years.

-- 
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299

More information about the Melbwireless mailing list