[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only

On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote:
> Some sites (I mean, deployments) like to use a caching proxy, especially
> if many machines use the same resource, and/or bandwidth is scarce.  Or
> even just one machine accessing the same resource often.  Maybe this
> won't apply to anything particular on people.d.o, but certainly a lot of
> websites are breaking this recently by becoming HTTPS-only.

Unfortunately, many of these proxies are broken.  The Squid version in
wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or
100 Continue (which is required for certain applications[0]) simply
doesn't work.  And simply not working is one of the best failure cases
for broken proxies.  Using HTTPS ensures that the broken proxy problem
is gone.

> I'm curious to know the rationale for shutting down HTTP access, because
> if it is to generally protect web browsers doing web-based login and
> using cookies, that would typically be covered by HSTS.  And the
> privacy-concious may be using the HTTPS Everywhere add-on.

I can't speak for DSA here, but I some of the reasons that I went
HTTPS-only is that certificates are relatively cheap, pervasive
monitoring is not going away, crypto is so cheap computationally on most
platforms that there's no reason not to, and broken proxies suck.

[0] Git pushes over HTTP with Kerberos, among many others.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: