1 |
Hi, |
2 |
|
3 |
Hanno Böck wrote: |
4 |
> Right now a number of Gentoo webpages are by default served over http. |
5 |
> There is a growing trend to push more webpages to default to https, |
6 |
> mostly pushed by google. I think this is a good thing and I think |
7 |
> Gentoo should follow. |
8 |
|
9 |
+1 |
10 |
|
11 |
|
12 |
> Right now we seem to have a mix: |
13 |
> * A number of webpages default to http and have optional https |
14 |
> (www.gentoo.org) |
15 |
> * Some with sensitive logins are already https by default (e.g. |
16 |
> bugs.gentoo.org), but they don't use hsts, which they should |
17 |
> * Some with logins are mixed http/login-via-https, which makes them |
18 |
> vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
19 |
|
20 |
Don't forget the forum (http://forums.gentoo.org/). Even if you connect |
21 |
to https://forums.gentoo.org/ it will always fall back to HTTP. |
22 |
Also all the mail notifications will send you to the HTTP version... |
23 |
|
24 |
|
25 |
-Thomas |