[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: people.debian.org will move from ravel to paradis and become HTTPS only

2014-07-17 2:20 GMT+02:00 brian m. carlson <sandals@crustytoothpaste.net>:
> On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote:
>> Some sites (I mean, deployments) like to use a caching proxy, especially
>> if many machines use the same resource, and/or bandwidth is scarce.  Or
>> even just one machine accessing the same resource often.  Maybe this
>> won't apply to anything particular on people.d.o, but certainly a lot of
>> websites are breaking this recently by becoming HTTPS-only.
> Unfortunately, many of these proxies are broken.  The Squid version in
> wheezy doesn't support HTTP/1.1, so trying to use chunked encoding or
> 100 Continue (which is required for certain applications[0]) simply
> doesn't work.  And simply not working is one of the best failure cases
> for broken proxies.  Using HTTPS ensures that the broken proxy problem
> is gone.
>> I'm curious to know the rationale for shutting down HTTP access, because
>> if it is to generally protect web browsers doing web-based login and
>> using cookies, that would typically be covered by HSTS.  And the
>> privacy-concious may be using the HTTPS Everywhere add-on.
> I can't speak for DSA here, but I some of the reasons that I went
> HTTPS-only is that certificates are relatively cheap, pervasive
> monitoring is not going away, crypto is so cheap computationally on most
> platforms that there's no reason not to, and broken proxies suck.
Those are all very good reasons for enabling HTTPS, but none of those
serve as a good reason for disabling HTTP.
It someone uses a broken proxy he/she can fix it or switch to https,
but why are others required to switch?
I for one would be unhappy with losing the ability of using a caching
proxy for APT repositories hosted on p.d.o, I saved many GB-s of
bandwidth this way.

I have added debian-admin@l.d.o to CC since according to the email
starting this thread this is the address where questions should be
sent and apparently this thread did not get any attention of the Admin


> [0] Git pushes over HTTP with Kerberos, among many others.
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Reply to: