Re: About possible participation in Rest the Net campaign

[Andrea Veri <av gnome org>]

2014-05-20 21:47 GMT+02:00 Michael Catanzaro <mcatanzaro gnome org>:

Currently gnome.org does not even use HTTPS by default, let alone HSTS
or PFS. If we are planning to endorse this campaign, I think we should
also implement their recommendations.

Assuming gnome.org stands for www.gnome.org I'm asking you whether it makes sense to "abuse" the use of SSL even when not really needed? the main GNOME website hosts news, articles, Foundation and Foundation Membership information, no sensitive information is being sent "over the wire" unencrypted and eavesdropping such information would be harmless. That said except the whole website being covered with SSL on demand if the user really wants every single byte encrypted the relevant areas (being wp-login and wp-admin) are automatically redirected to HTTPS for secure logins to happen.

It has to be said a few other websites (like help.gnome.org and planet.gnome.org) are currently being served through HTTPS by default (even if they are serving static pages with no sensitive information or login form exposed to the public) but the reason behind it is merely related to the fact we have a permanent redirect rule on our proxies that forward all the requests being sent to the unencrypted wires to a SSL-enabled vhost which then reverse proxies the requests to the internal network. 

Honestly I don't think SSL should be abused when it's not really needed and most of all I still think the GNOME Infrastructure would care deeply about the privacy and security of its users even without serving the planet, the documentation website and the main GNOME website with HTTPS by default.

--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av