1 |
Hi, |
2 |
|
3 |
Right now a number of Gentoo webpages are by default served over http. |
4 |
There is a growing trend to push more webpages to default to https, |
5 |
mostly pushed by google. I think this is a good thing and I think |
6 |
Gentoo should follow. |
7 |
|
8 |
Right now we seem to have a mix: |
9 |
* A number of webpages default to http and have optional https |
10 |
(www.gentoo.org) |
11 |
* Some with sensitive logins are already https by default (e.g. |
12 |
bugs.gentoo.org), but they don't use hsts, which they should |
13 |
* Some with logins are mixed http/login-via-https, which makes them |
14 |
vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
15 |
|
16 |
I'd propose the following: |
17 |
* Make all pages under .gentoo.org https by default |
18 |
* Make sure all use modern HTTPS features, including: |
19 |
* OCSP Stapling |
20 |
* HSTS |
21 |
* A secure collection of cipher suites |
22 |
* (one may add HPKP here, but it requires careful planning and has the |
23 |
potential to lock people out of the page if done wrong) |
24 |
(On the long term I think it would also be good to have downloads over |
25 |
https, but I'm aware that this is more difficult as it involves mirror |
26 |
operators that are not under direct control of gentoo infrastructure.) |
27 |
|
28 |
As I know these discussions, I'll already answer to some |
29 |
counter-arguments that may come up: |
30 |
|
31 |
"It's not neccessary to do https on pages without logins" |
32 |
These kinds of arguments show a fundamental misunderstanding of what |
33 |
https does. It guarantees confidentiality *and* integrity. In short, it |
34 |
protects content not only from observation, but also from manipulation, |
35 |
which is always a good thing. A very practical example is that on some |
36 |
networks foreign ads get injected into other peoples webpages. |
37 |
|
38 |
"Makes things slower / servers can't handle it" |
39 |
The performance costs for TLS on a server are often vastly overstatet. |
40 |
The performance hit on servers doing https is very close to zero, it |
41 |
just doesn't matter much. |
42 |
There are some latency problems for connections, but these can mostly |
43 |
be wiped out by a sane configuration of the server. If http/2 is used |
44 |
one can even improve the performance with https. |
45 |
|
46 |
"Certificates are too expensive" |
47 |
Gentoo already has certs for all pages, so this is not an argument |
48 |
here, but if this ever becomes an issue there are a number of CAs these |
49 |
days that issue free certs. In summer the community based CA Let's |
50 |
encrypt will start which will be another option. |
51 |
|
52 |
"CAs are bad and the whole system is broken" |
53 |
Partly true, but it doesn't get any better if people stick to HTTP. |
54 |
Many problems of the CA system can be mitigated by modern technologies |
55 |
like Key Pinning and Certificate Transparency. |
56 |
|
57 |
I think defaulting the net to HTTPS is a big step for more security and |
58 |
I think Gentoo should join the trend here. |
59 |
|
60 |
cu, |
61 |
|
62 |
-- |
63 |
Hanno Böck |
64 |
http://hboeck.de/ |
65 |
|
66 |
mail/jabber: hanno@××××××.de |
67 |
GPG: BBB51E42 |