Evergreen

Bug #1507013
Comment #5

Comment 5 for bug 1507013

Revision history for this message

Rogan Hamby (rogan-hamby) wrote on 2015-10-21: Re: [Bug 1507013] Re: Forcing HTTPS breaks some functionality in staff client

A man in the middle attack against offline transactions seems pretty
unlikely to me as well

On Tue, Oct 20, 2015 at 1:01 PM, Mike Rylander <email address hidden> wrote:

> Re offline.pl, you're correct. However, we should allow offline.pl to
> be accessed without SSL until a major release, and then add the apache
> config changes to the upgrade instructions. Individual sites that
> choose to upgrade their staff client at minor release boundaries can, of
> course, gain the benefit and choose to apply the apache config changes.
>
> The reason for the delay in forcing SSL until the next major release is
> long-standing position that any X.Y staff client should be able to use
> any X.Y server. We could force the issue, but I (personally) don't see
> MITM against offline transaction upload as an attack surface worth
> breaking that rule for.
>
> Thoughts?
>
> As for ZOOM, that's great news! Are there clients other than yaz-client
> that support TLS or SSL? If essentially all do, we could certainly
> document how to set that up so sites can give out secure URLs. I've no
> actual opinion on whether it's worth the effort to secure localhost
> connections weighed against the (however slight) increased CPU time and
> latency that would bring, so I'll leave it to those with tuits to judge.
> ;)
>
> Thanks for the info, Galen!
>
> --
> You received this bug notification because you are subscribed to
> Evergreen.
> Matching subscriptions: evergreenbugs
> https://bugs.launchpad.net/bugs/1507013
>
> Title:
> Forcing HTTPS breaks some functionality in staff client
>
> Status in Evergreen:
> New
>
> Bug description:
> Evergreen 2.8.1
> OpenSRF 2.4
>
> During our last upgrade, we tried forcing HTTPS on all connections,
> OPAC and XUL client alike. We implemented this with a 307 redirect at
> the load balancer level. For the most part it worked. However, we had
> to add exceptions in two cases:
>
> 1. path /cgi-bin/offline/offline.pl - if you force HTTPS, uploading
> offline circ transactions will fail
> 2. paths beginning /opac/extras/sru - YAZ simple2zoom apparently cannot
> handle HTTPS, and also can't handle 307 redirects
>
> We want HTTPS to work in these places, and anywhere else where it
> currently breaks things (a list of other issues like this would be
> useful). I'm creating this ticket primarily to share our experiences;
> I don't have a fix in mind.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/evergreen/+bug/1507013/+subscriptions
>

A man in the middle attack against offline transactions seems pretty
unlikely to me as well

On Tue, Oct 20, 2015 at 1:01 PM, Mike Rylander <mrylander@gmail.com> wrote:

> Re offline.pl, you're correct.  However, we should allow offline.pl to
> be accessed without SSL until a major release, and then add the apache
> config changes to the upgrade instructions.  Individual sites that
> choose to upgrade their staff client at minor release boundaries can, of
> course, gain the benefit and choose to apply the apache config changes.
>
> The reason for the delay in forcing SSL until the next major release is
> long-standing position that any X.Y staff client should be able to use
> any X.Y server.  We could force the issue, but I (personally) don't see
> MITM against offline transaction upload as an attack surface worth
> breaking that rule for.
>
> Thoughts?
>
> As for ZOOM, that's great news!  Are there clients other than yaz-client
> that support TLS or SSL? If essentially all do, we could certainly
> document how to set that up so sites can give out secure URLs.  I've no
> actual opinion on whether it's worth the effort to secure localhost
> connections weighed against the (however slight) increased CPU time and
> latency that would bring, so I'll leave it to those with tuits to judge.
> ;)
>
> Thanks for the info, Galen!
>
> --
> You received this bug notification because you are subscribed to
> Evergreen.
> Matching subscriptions: evergreenbugs
> https://bugs.launchpad.net/bugs/1507013
>
> Title:
>   Forcing HTTPS breaks some functionality in staff client
>
> Status in Evergreen:
>   New
>
> Bug description:
>   Evergreen 2.8.1
>   OpenSRF 2.4
>
>   During our last upgrade, we tried forcing HTTPS on all connections,
>   OPAC and XUL client alike. We implemented this with a 307 redirect at
>   the load balancer level. For the most part it worked. However, we had
>   to add exceptions in two cases:
>
>   1. path /cgi-bin/offline/offline.pl - if you force HTTPS, uploading
> offline circ transactions will fail
>   2. paths beginning /opac/extras/sru - YAZ simple2zoom apparently cannot
> handle HTTPS, and also can't handle 307 redirects
>
>   We want HTTPS to work in these places, and anywhere else where it
>   currently breaks things (a list of other issues like this would be
>   useful). I'm creating this ticket primarily to share our experiences;
>   I don't have a fix in mind.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/evergreen/+bug/1507013/+subscriptions
>