Date: Fri, 18 Sep 2015 15:30:45 +0200 From: Walter Hop <freebsd@spam.lifeforms.nl> To: freebsd-security@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds Message-ID: <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl> In-Reply-To: <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org> References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com> <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>=20 >> Is there some reason "freebsd.org" and all it's >> subdomains don't immediately 302 over to >> https foreverafter? >=20 > Is there a reason to encrypt something that is completely public? = Perhaps to allow the visitor to conceal the fact that they are = interested in FreeBSD? That won't work, since the IP address of the = server can't be encrypted. I feel like I am missing something. Privacy is often important, but authentication (i.e. not having content = tampered with) may be more important in many cases. The US and UK governments are owning sysadmins who browse non-HTTPS = sites: = http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake= -linkedin-pages-a-932821.html = <http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fak= e-linkedin-pages-a-932821.html> = https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-sy= stem-administrators/ = <https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-s= ystem-administrators/> The Chinese government hijacked non-HTTPS sessions to inject DDoS = javascript: = https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-h= ijack-browsers-in-github-attack = <https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-= hijack-browsers-in-github-attack> If often-used sites migrate to HTTPS (together with HSTS) these attacks = will become a lot harder. I=E2=80=99m also seeing more demand for HTTPS from customers. In Europe = there has been a lot of mainstream coverage of tech privacy issues, and = various non-technical people now distrust sites that don=E2=80=99t have = =E2=80=9Ca lock=E2=80=9D. So it also has credibility/PR benefits to use = it by default. There is always effort involved in making the switch, but for most sites = and applications this is probably not an unreasonable amount given the = benefits. --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BAECC2B-5001-47D6-9199-8549697E7807>