Tags:
create new tag
, view all tags

Feature Proposal: Topic tag to render topics using SSL (https)

Motivation

TWikis that sometimes use SSL need a way to determine which links, topics and attachments should use SSL.

Description

I would like to be able to set a metatag or a variable that would specify if a topic and it's attachments are linked and rendered using SSL (https). All other topics and their attacments would be linked and rendered without using SSL (http). Some common topics that most sites should always secure are DoLogin and TWikiRegistration.

-- RobKirk - 01 Aug 2005

Impact and Available Solutions

Documentation

If necessary, user documentation of new features introduced by this proposal.

Examples

Example uses of features introduced by proposal.

Implementation

Any comments on how the feature is implemented or could be improved


Discussion:

CDot suggested I use mod_rewrite to accomplish this. Agree? Disagree? What would the performance difference be?

-- RobKirk - 01 Aug 2005

I'd realy like to see this feature in TWiki. Something like

   * Set USESSL = TRUE
to protect the current topic. But actually we need to secure oops messages presenting a login page as well making this an AuthPagePlugin issue also.

I disagree with CDot on using mod_rewrite. This would be realy awkward and need a shell access to change the rewrite rules. By the way, not everybody wants to dig into the apache docus to figure out how to write mod_rewrite rules. Adding a USESSL is much easier.

Actually, I'd like to extend the ssl proposal a little: optionally protect any authenticated connection using https, fall back to http for guests. Reason: there's no point in restricting view access to a web or topic while leaving it readable for a man in the middle. So when some config variable (e.g. DoEncryption) is set to true all TWiki links will be rendered using https for non-guests. Beat me, how could this be done with mod_rewrite?

-- MichaelDaum - 01 Aug 2005

Actually, Michael, when including non-authenticated resources on a topic, you don't always want to use SSL. I originally setup my site to use SSL on every single page, but that became a real pain when I tried to use pictures from my non-ssl domain in any twiki topics. Makes sense that the browser (IE) displayed a Security Information dialog saying "This page contains both secure and nonsecure items. Do you want to display the nonsecure items? [Yes] [No] [More Info]" ... that scared my end users since they didn't know the reason behind it ... they just clicked [No]. Perhaps there is a way around this. I wouldn't be opposed to having pages with restricted permissions displayed using SSL by default and those with open permissions being displayed without SSL by default. I image this would be configurable using a global variable and each default could be overriden using a topic or web variable.

-- RobKirk - 01 Aug 2005

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2005-08-02 - RobKirk
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.