On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote: > Some sites (I mean, deployments) like to use a caching proxy, especially > if many machines use the same resource, and/or bandwidth is scarce. Or > even just one machine accessing the same resource often. Maybe this > won't apply to anything particular on people.d.o, but certainly a lot of > websites are breaking this recently by becoming HTTPS-only. Unfortunately, many of these proxies are broken. The Squid version in wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or 100 Continue (which is required for certain applications[0]) simply doesn't work. And simply not working is one of the best failure cases for broken proxies. Using HTTPS ensures that the broken proxy problem is gone. > I'm curious to know the rationale for shutting down HTTP access, because > if it is to generally protect web browsers doing web-based login and > using cookies, that would typically be covered by HSTS. And the > privacy-concious may be using the HTTPS Everywhere add-on. I can't speak for DSA here, but I some of the reasons that I went HTTPS-only is that certificates are relatively cheap, pervasive monitoring is not going away, crypto is so cheap computationally on most platforms that there's no reason not to, and broken proxies suck. [0] Git pushes over HTTP with Kerberos, among many others. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature