On Sun, 6 Apr 2014, Stephen Farrell wrote:
...
There is a value in not making cleartext versions of services
available though - I've personally seen a number of cases where
http:// URLs were sent via mail with instructions to login at
that URL using e.g. a datatracker or tools login. Yes, that ought
not happen (https:// URLs should be sent), but it does happen
and will so long as the http:// URLs work, and it'd be naive of
us to assume that everyone sending out such mails would be aware
that doing so isn't a good plan.
Um, it is not difficult to protect the login credentials will leaving
the remainder of the interaction in the clear. Then it won't matter
what is the the email.
I don't object to making TLS/et al access available when it can be
done at a moderate cost. But that is different than the implied
statement that the intent is to require TLS for future service
access.
I agree with those who've said a threat analysis is needed before
deciding access is limited to TLS or other secure alternative.