ResetTheNet Discussion
HSTS
We could fairly quickly and easily decide to do HSTS for the web
servers that we run here; this does not include
http://www.inf.ed.ac.uk,
our main public face - but does include
http://homepages.inf.ed.ac.uk/?
What about
http://wcms.inf.ed.ac.uk/, which hosts for example the LFCS
pages? This implies using HTTPS for all our pages, even those that only
serve public information, and declaring that we do so.
- if we did so, the benefits (given that we already use https everywhere it's traditionally seen to be needed) would be:
- being seen to support Reset the Net;
- making it harder for another site to impersonate us (would have to be an attack aimed at us specifically)
and the costs would be:
- initial implementation effort, acceptable we think;
- some performance overhead of using https for everything, but my guess is that's not large enough to be an issue?
- monetary cost of certificates? I don't know about this; what numbers are we talking?
- the risk that some people would have difficulty accessing pages we want them to access. (Hence some support costs when they told us about it, and some opportunity costs when they didn't.) I'm not sure how big a problem this is, but here's a page of people having various different problems accessing facebook and twitter (commonest problem seems to be date/time set wrong on user's computer, but there are others); otoh, it doesn't seem to be doing facebook or twitter too much harm and our users are probably more clufeul than theirs on average! https://productforums.google.com/forum/#!topic/chrome/WeZJFO2Ie3Y
PFS
We cannot do this by June 5th, but Alastair will propose a project to
do it (which will them be considered for prioritisation). I'm not clear on
whether using PFS would also commit us to using HTTPS for all pages, or
whether it still makes sense to use even while only some pages use HTTPS?
It's not obvious to me that this has any downside apart from the
implementation cost, though if it requires us to use HTTPS for everything
it has the same costs listed for HSTS.
PGP/GPG for email
I'm also in the group of people who have tried this and given it up as too
cumbersome. It's not obvious that there's much we can sensibly do here to
help concretely, but we could at least make sure our documentation is as
helpful as possible. NB David Aspinall has a nice page here:
http://homepages.inf.ed.ac.uk/da/id/gpg-howto.shtml
The only place I found pgp and gpg mentioned on the computing documentation
pages was here:
http://computing.help.inf.ed.ac.uk/data-security
Perhaps David's page should be linked from here? The information might also
be split, so that we provide information on how to use the software under
Software, and link to it from this Policies and Guidelines page, rather
than only having the software mentioned here.
--
TimColles - 13 May 2014
Topic revision: r1 - 13 May 2014 - 09:14:34 -
TimColles