[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

Op zondag 20 juli 2014 18:19:14 schreef Peter Palfrader:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > > > These are all good arguments for enabling HTTPS and making it the
> > > > default (which I've said repeatedly is a move that I support, or at
> > > > the
> > > > very least don't oppose), but not for *disabling* the possibility of
> > > > plain HTTP.
> > > 
> > > Pray tell: How do you make it default.
> > 
> > - Enable HSTS on the domain
> > - Run "sed -i -e 's,http://people.debian.org,https://people.debian.org,g'"
> > 
> >   over a webwml export.
> > 
> > - Create a robots.txt file which is visible from the HTTP export (but
> > 
> >   not from the HTTPS one) which looks like this:
> None of these brings people who type in people.debian.org into their
> browser to https.

If they type it in because they want to avoid HTTPS for whatever local
reason, then that's a feature, not a bug.

If they type it in because they were given a HTTP URL rather than a
HTTPS one by someone else, then you should cluebat that someone else.

Write a bot for IRC that cluebats people automatically if they provide
HTTP rather than HTTPS URLs, for instance. Complain on mailinglists if
you want to.

If HSTS is enabled and you access people.debian.org even once (and you
don't clear out their entire cache for as long as the HSTS timeout
lives), then HSTS will ensure that the HTTP URL gets turned into an
HTTPS URL automatically.

What's the problem? Unencrypted traffic is *not* evil. Neither are
people who for whatever local reason need to disable HTTPS.

It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to: