On Mon, Jul 21, 2014 at 02:38:14PM +0000, Jacob Appelbaum wrote: > On 7/21/14, Iain R. Learmonth <irl@fsfe.org> wrote: > By that reasoning, we may not authenticate except by sending plaintext > passwords over such a network. That seems to either be an old policy, > a mistake or a network that is simply hostile towards modern security > requirements for individuals. I would say that a message digest to authenticate a message doesn't obscure its meaning for other amateurs as others could use it to verify the same message in the same way as the intended recipient. If SSL were used only for authentication, using a NULL cipher, then I would think that would be allowed, but also I would question any webserver that has SSL enabled with a NULL cipher also enabled. Remember, I'm not asking for HTTPS to not be default, just for an alternative VHOST name to be available without HTTPS. Users would have to be explicitly asking for it and it's only a few lines of Apache configuration to set up. > Is anyone hosting software on p.d.o and actually having it downloaded > over a radio link? That sounds like a good project but I wonder if > practically it happens in the wild? This is probably something I would have done, as I'm just getting back into amateur radio. I have not done it yet though. I would be interested to hear if there are any use cases out there. I bet they are part of rather cool projects. > We should not be beholden to the lowest common denominator. This seems > especially so when it is a matter of theory and without practical > issue. This is not what I'm asking for, just a seperate VHOST for those that want to use it. Of course, it's probably trivial to set up an HTTP service that proxies to the HTTPS one, but it's even more trivial to add those few lines of config to add a VHOST on the new machine. Iain. -- e: irl@fsfe.org w: iain.learmonth.me x: irl@jabber.fsfe.org t: +447875886930 c: MM6MVQ g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
Attachment:
pgpFayKAfars1.pgp
Description: PGP signature