Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only

To: debian developers <debian-devel@lists.debian.org>
Cc: debian-admin@lists.debian.org
Subject: Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
From: Bálint Réczey <balint@balintreczey.hu>
Date: Thu, 17 Jul 2014 21:45:35 +0200
Message-id: <[🔎] CAK0OdpwRVSFPNBVdN=q2OyF5QNULhV+VuRQNayr0T=DizxwNXw@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 20140717002018.GB122477@vauxhall.crustytoothpaste.net>
References: <[🔎] 20140713221922.GA19394@virgil.dodds.net> <[🔎] 53C70005.5020009@pyro.eu.org> <[🔎] 20140717002018.GB122477@vauxhall.crustytoothpaste.net>

2014-07-17 2:20 GMT+02:00 brian m. carlson <sandals@crustytoothpaste.net>:
> On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote:
>> Some sites (I mean, deployments) like to use a caching proxy, especially
>> if many machines use the same resource, and/or bandwidth is scarce.  Or
>> even just one machine accessing the same resource often.  Maybe this
>> won't apply to anything particular on people.d.o, but certainly a lot of
>> websites are breaking this recently by becoming HTTPS-only.
>
> Unfortunately, many of these proxies are broken.  The Squid version in
> wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or
> 100 Continue (which is required for certain applications[0]) simply
> doesn't work.  And simply not working is one of the best failure cases
> for broken proxies.  Using HTTPS ensures that the broken proxy problem
> is gone.
>
>> I'm curious to know the rationale for shutting down HTTP access, because
>> if it is to generally protect web browsers doing web-based login and
>> using cookies, that would typically be covered by HSTS.  And the
>> privacy-concious may be using the HTTPS Everywhere add-on.
>
> I can't speak for DSA here, but I some of the reasons that I went
> HTTPS-only is that certificates are relatively cheap, pervasive
> monitoring is not going away, crypto is so cheap computationally on most
> platforms that there's no reason not to, and broken proxies suck.
Those are all very good reasons for enabling HTTPS, but none of those
serve as a good reason for disabling HTTP.
It someone uses a broken proxy he/she can fix it or switch to https,
but why are others required to switch?
I for one would be unhappy with losing the ability of using a caching
proxy for APT repositories hosted on p.d.o, I saved many GB-s of
bandwidth this way.

I have added debian-admin@l.d.o to CC since according to the email
starting this thread this is the address where questions should be
sent and apparently this thread did not get any attention of the Admin
Team.

Cheers,
Balint

>
> [0] Git pushes over HTTP with Kerberos, among many others.
>
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Reply to:

References:
- Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: Steve Langasek <vorlon@debian.org>
- Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: Steven Chamberlain <steven@pyro.eu.org>
- Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>

Prev by Date: Re: Override disparity checks (Was: Re: Transition plan for changing the default init system)
Next by Date: Re: Solutions for the Apache upgrade hell
Previous by thread: Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Next by thread: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Index(es):
- Date
- Thread