[members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only

(cc members-discuss)

Mihnea-Costin Grigore <mgrigore at ripe.net> wrote:

> Dear colleagues,
> 
> We plan to make the www.ripe.net website available over HTTPS only as 
> of 5 February 2015. We believe this change will provide a more secure, 
> efficient website for our users.
> 
> The www.ripe.net website has been available over HTTPS for some time 
> already, and we are now making it HTTPS-only for two reasons: to improve 
> the website's security, and because we plan to integrate RIPE NCC Access 
> (our single sign-on system) with www.ripe.net as part of our larger 
> website redesign project, which requires us to use HTTPS throughout the 
> site.

Some observations spring to mind.

1. www.ripe.net is (as far as I can see - and I could be wrong - please
correct me) primarily an information site, that is it provides publically 
available information to everyone/anyone.  Therefore it does not largely 
transmit anything that needs to be secure and encrypted over SSL.

2. There have been far more security holes in https/TLS/SSL of recent
than plain HTTP as far as I can tell.  Therefore I would say that https
is less secure unless you have sensitive information to transport.
If my assertion (1) is correct then it would not seem beneficial
to SSL proect www.ripe.net - indeed it may make it less secure.

3. Whilst I agree wholeheartedly that SSO is a good plan, in this
case separation of the two different entities (information ie.
www.ripe.net and admin ie. LIR portal) seems like a good idea.

Of course (3) may break the desire for SSO.

Or this may not really matter and no-one may really care. :)

Regards,

-Paul-

-- 
Paul Civati <paul(at)racksense.com> 0870 321 2855
Rack Sense Ltd - Managed Service Provider - www.racksense.com