21 Nov
2017
21 Nov
'17
12:44 p.m.
Hello IOhannes,
On 11/21/2017 11:39 AM, IOhannes m zmoelnig wrote:
On 2017-11-21 10:49, Jeremy Jongepier wrote:
The latter, it's not a technical issue.
Hello David,
i'm not sure whether i read this correctly, but you make it sound like
there's technical problems hindering the implementation of https://,
although i think these are merely social (e.g. you don't want to shove
https:// down the throat of just anybody). I'm currently taking over a bunch of packages
for Arch Linux (mainly
pro-audio stuff).
Would it be possible to implement letsencrypt for linuxaudio.org and all
of its subdomains?
It's possible for linuxaudio.org but not for all the
subdomains. the
linuxaudio.org server is a shared server that hosts projects of a
variety of organizations and people. root(a)linuxaudio.org can't enforce
the usage of SSL for all users, it's a decision the users have to take. it's also slightly unclear what you mean by
"users" (intuitively i would
have said that "users" refers to the people who want to access the
website with their browsers; however, as root(a)linuxaudio.org you might
think of the 'variety of organizations and people' who host projects on
linuxaudio.org as your "users").
I mean the latter indeed, the organizations and people that use the
linuxaudio.org server are users on the server.
also, there's a slight difference between "enforcing the usage of SSL"
(shoving it down the throats of everybody) and "enabling" it.
I agree, thanks for pointing that out, had a bit too narrow of a
perspective.
https:// is a great means against mitm attacks; as ralf has pointed out,
it's less useful as a tool to ensure privacy (use tor for that) or
integrity (use gpg signatures for that). however, it does help raising
the standards for both.
there is practically no reason to *not* use https:// everywhere (well
there's one: CPU power on the server side).
if CPU power is not a problem, i would suggest to:
- enable https:// for *all* VHOSTS that are directly running on the
linuxaudio.org infrastructure
- allow all organizations and people that "run" one of these VHOSTS to
permanently redirect to https:// (if the choose so).
CPU is not a problem. Unless anybody has any objections I'll enable SSL
for linuxaudio.org subdomains as soon as Let's Encrypt starts offering
wildcard certificates, that way we can secure more services too and it
makes maintenance a bit easier. That will be January 2018 but if LE
can't deliver in due time I'll request separate certificates. There are
some non-linuxaudio.org domains on the server too, I'll look at those too.
of course people who run their own VHOSTS (if any) need to implement
https:// themselves.
and of course, i'm not associated with anything linuxaudio.org, so i
don't know the exact contract under which you give away VHOSTS.
asdr
IOhannes
Jeremy