On Wed, 2014-05-21 at 00:33 +0200, Andrea Veri wrote:
Assuming gnome.org stands for www.gnome.org I'm asking you whether it makes sense to "abuse" the use of SSL even when not really needed?
From your response, I can see that you're concerned primarily with protecting users' personal information. From that perspective, I'm basically satisfied as long as our Bugzilla uses SSL, and it does, so great! In contrast, Reset the Net is interested in countering pervasive surveillance, which really does require HTTPS/HSTS to be used on all pages. Their goal is not to protect users' passwords, it's to prevent the NSA from determining whether our users are visiting http://www.gnome.org/gnome-3 or http://www.gnome.org/news/. It's an encrypt the web campaign, and it'd be silly for GNOME to sign up if we don't really mean it. (It'd also be a bit silly to run a $20000 privacy campaign and then not participate in this, but I guess there are real disadvantages to "abusing" SSL: increased power costs, correct?)
Attachment:
signature.asc
Description: This is a digitally signed message part