Re: [LAD] https for linuxaudio.org

On 2017-11-21 10:49, Jeremy Jongepier wrote: i'm not sure whether i read this correctly, but you make it sound like there's technical problems hindering the implementation of https://, although i think these are merely social (e.g. you don't want to shove https:// down the throat of just anybody). it's also slightly unclear what you mean by "users" (intuitively i would have said that "users" refers to the people who want to access the website with their browsers; however, as root(a)linuxaudio.org you might think of the 'variety of organizations and people' who host projects on linuxaudio.org as your "users"). also, there's a slight difference between "enforcing the usage of SSL" (shoving it down the throats of everybody) and "enabling" it. https:// is a great means against mitm attacks; as ralf has pointed out, it's less useful as a tool to ensure privacy (use tor for that) or integrity (use gpg signatures for that). however, it does help raising the standards for both. there is practically no reason to *not* use https:// everywhere (well there's one: CPU power on the server side). if CPU power is not a problem, i would suggest to: - enable https:// for *all* VHOSTS that are directly running on the linuxaudio.org infrastructure - allow all organizations and people that "run" one of these VHOSTS to permanently redirect to https:// (if the choose so). of course people who run their own VHOSTS (if any) need to implement https:// themselves. and of course, i'm not associated with anything linuxaudio.org, so i don't know the exact contract under which you give away VHOSTS. asdr IOhannes