[LAD] https for linuxaudio.org

[Jeremy Jongepier]

Hello IOhannes,

On 11/21/2017 11:39 AM, IOhannes m zmoelnig wrote:
> On 2017-11-21 10:49, Jeremy Jongepier wrote:
>> Hello David,
>>
>>> I'm currently taking over a bunch of packages for Arch Linux (mainly
>>> pro-audio stuff).
>>> Would it be possible to implement letsencrypt for linuxaudio.org and all
>>> of its subdomains?
>> It's possible for linuxaudio.org but not for all the subdomains. the
>> linuxaudio.org server is a shared server that hosts projects of a
>> variety of organizations and people. root at linuxaudio.org can't enforce
>> the usage of SSL for all users, it's a decision the users have to take.
> 
> i'm not sure whether i read this correctly, but you make it sound like
> there's technical problems hindering the implementation of https://,
> although i think these are merely social (e.g. you don't want to shove
> https:// down the throat of just anybody).

The latter, it's not a technical issue.

> it's also slightly unclear what you mean by "users" (intuitively i would
> have said that "users" refers to the people who want to access the
> website with their browsers; however, as root at linuxaudio.org you might
> think of the 'variety of organizations and people' who host projects on
> linuxaudio.org as your "users").

I mean the latter indeed, the organizations and people that use the
linuxaudio.org server are users on the server.

> 
> also, there's a slight difference between "enforcing the usage of SSL"
> (shoving it down the throats of everybody) and "enabling" it.
> 

I agree, thanks for pointing that out, had a bit too narrow of a
perspective.

> 
> https:// is a great means against mitm attacks; as ralf has pointed out,
> it's less useful as a tool to ensure privacy (use tor for that) or
> integrity (use gpg signatures for that). however, it does help raising
> the standards for both.
> there is practically no reason to *not* use https:// everywhere (well
> there's one: CPU power on the server side).
> 
> if CPU power is not a problem, i would suggest to:
> - enable https:// for *all* VHOSTS that are directly running on the
> linuxaudio.org infrastructure
> - allow all organizations and people that "run" one of these VHOSTS to
> permanently redirect to https:// (if the choose so).

CPU is not a problem. Unless anybody has any objections I'll enable SSL
for linuxaudio.org subdomains as soon as Let's Encrypt starts offering
wildcard certificates, that way we can secure more services too and it
makes maintenance a bit easier. That will be January 2018 but if LE
can't deliver in due time I'll request separate certificates. There are
some non-linuxaudio.org domains on the server too, I'll look at those too.

> 
> of course people who run their own VHOSTS (if any) need to implement
> https:// themselves.
> 
> and of course, i'm not associated with anything linuxaudio.org, so i
> don't know the exact contract under which you give away VHOSTS.
> 
> asdr
> IOhannes

Jeremy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxaudio.org/pipermail/linux-audio-dev/attachments/20171121/09d86ae6/attachment.pgp>