[LAD] https for linuxaudio.org

[Ralf Mardorf]

On Sun, 26 Nov 2017 16:51:53 +0100, David Runge wrote:
>> Not that much, since even when additionally using TOR, privacy isn't
>> ensured without exceptions,
>> https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting .  
>That of course is also true and thanks for pointing it out.
>When writing, I was more thinking of subdomains hosting applications,
>that require authentication (then seeing, that e.g.
>{lists,wiki}.linuxaudio.org already facilitate letsencrypt certs).
>
>Of course, given the right tools and infrastructure, it gets
>increasingly harder to achieve some form of privacy.
>However, that's no reason not to aim for the maximum amount thereof.
>
>In any case (unless your ssl is broken) and however one wants to turn
>it: It is beneficial to implement https and I'm happy to hear it will
>be done.

Btw. when I asked to provide Ardour for Arch with disabling the phone
home option, as Debian and Ubuntu already did, it was not because I had
concerns regarding upstream, I've done this, e.g. because activists use
Ardour and at the same time TOR browser, without redirecting all
traffic trough the onion. I'm pro ever little step to grant more
privacy by default, https is one of those steps. Actually ssl is much
known to the masses for Heartbleed, not for security and it's
kinda always in a broken state.

[rocketmouse at archlinux ~]$ arch-audit | grep ssl
Package openssl-1.0 is affected by CVE-2017-3736, CVE-2017-3735. Medium risk!

Ok, no output for openssl yet, just for openssl-1.0, however taking a
look at...

[rocketmouse at archlinux ~]$ pactree -r openssl-1.0
[snip]
[rocketmouse at archlinux ~]$ pactree -r openssl
[snip]

...we should take in consideration that ssl isn't the universal
salvation.

But again, I agree with you, https is better than no https ;).

Regards,
Ralf