[LAD] https for linuxaudio.org

IOhannes m zmoelnig zmoelnig at iem.at
Tue Nov 21 10:39:49 UTC 2017

Previous message: [LAD] https for linuxaudio.org
Next message: [LAD] https for linuxaudio.org
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2017-11-21 10:49, Jeremy Jongepier wrote:
> Hello David,
> 
>> I'm currently taking over a bunch of packages for Arch Linux (mainly
>> pro-audio stuff).
>> Would it be possible to implement letsencrypt for linuxaudio.org and all
>> of its subdomains?
> It's possible for linuxaudio.org but not for all the subdomains. the
> linuxaudio.org server is a shared server that hosts projects of a
> variety of organizations and people. root at linuxaudio.org can't enforce
> the usage of SSL for all users, it's a decision the users have to take.

i'm not sure whether i read this correctly, but you make it sound like
there's technical problems hindering the implementation of https://,
although i think these are merely social (e.g. you don't want to shove
https:// down the throat of just anybody).
it's also slightly unclear what you mean by "users" (intuitively i would
have said that "users" refers to the people who want to access the
website with their browsers; however, as root at linuxaudio.org you might
think of the 'variety of organizations and people' who host projects on
linuxaudio.org as your "users").

also, there's a slight difference between "enforcing the usage of SSL"
(shoving it down the throats of everybody) and "enabling" it.

https:// is a great means against mitm attacks; as ralf has pointed out,
it's less useful as a tool to ensure privacy (use tor for that) or
integrity (use gpg signatures for that). however, it does help raising
the standards for both.
there is practically no reason to *not* use https:// everywhere (well
there's one: CPU power on the server side).

if CPU power is not a problem, i would suggest to:
- enable https:// for *all* VHOSTS that are directly running on the
linuxaudio.org infrastructure
- allow all organizations and people that "run" one of these VHOSTS to
permanently redirect to https:// (if the choose so).

of course people who run their own VHOSTS (if any) need to implement
https:// themselves.

and of course, i'm not associated with anything linuxaudio.org, so i
don't know the exact contract under which you give away VHOSTS.

asdr
IOhannes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxaudio.org/pipermail/linux-audio-dev/attachments/20171121/425832c3/attachment.pgp>

Previous message: [LAD] https for linuxaudio.org
Next message: [LAD] https for linuxaudio.org
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audio-dev mailing list