© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Re offline.pl, you're correct. However, we should allow offline.pl to be accessed without SSL until a major release, and then add the apache config changes to the upgrade instructions. Individual sites that choose to upgrade their staff client at minor release boundaries can, of course, gain the benefit and choose to apply the apache config changes.
The reason for the delay in forcing SSL until the next major release is long-standing position that any X.Y staff client should be able to use any X.Y server. We could force the issue, but I (personally) don't see MITM against offline transaction upload as an attack surface worth breaking that rule for.
Thoughts?
As for ZOOM, that's great news! Are there clients other than yaz-client that support TLS or SSL? If essentially all do, we could certainly document how to set that up so sites can give out secure URLs. I've no actual opinion on whether it's worth the effort to secure localhost connections weighed against the (however slight) increased CPU time and latency that would bring, so I'll leave it to those with tuits to judge. ;)
Thanks for the info, Galen!