| 1 |
Hi, |
| 2 |
|
| 3 |
Right now a number of Gentoo webpages are by default served over http. |
| 4 |
There is a growing trend to push more webpages to default to https, |
| 5 |
mostly pushed by google. I think this is a good thing and I think |
| 6 |
Gentoo should follow. |
| 7 |
|
| 8 |
Right now we seem to have a mix: |
| 9 |
* A number of webpages default to http and have optional https |
| 10 |
(www.gentoo.org) |
| 11 |
* Some with sensitive logins are already https by default (e.g. |
| 12 |
bugs.gentoo.org), but they don't use hsts, which they should |
| 13 |
* Some with logins are mixed http/login-via-https, which makes them |
| 14 |
vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
| 15 |
|
| 16 |
I'd propose the following: |
| 17 |
* Make all pages under .gentoo.org https by default |
| 18 |
* Make sure all use modern HTTPS features, including: |
| 19 |
* OCSP Stapling |
| 20 |
* HSTS |
| 21 |
* A secure collection of cipher suites |
| 22 |
* (one may add HPKP here, but it requires careful planning and has the |
| 23 |
potential to lock people out of the page if done wrong) |
| 24 |
(On the long term I think it would also be good to have downloads over |
| 25 |
https, but I'm aware that this is more difficult as it involves mirror |
| 26 |
operators that are not under direct control of gentoo infrastructure.) |
| 27 |
|
| 28 |
As I know these discussions, I'll already answer to some |
| 29 |
counter-arguments that may come up: |
| 30 |
|
| 31 |
"It's not neccessary to do https on pages without logins" |
| 32 |
These kinds of arguments show a fundamental misunderstanding of what |
| 33 |
https does. It guarantees confidentiality *and* integrity. In short, it |
| 34 |
protects content not only from observation, but also from manipulation, |
| 35 |
which is always a good thing. A very practical example is that on some |
| 36 |
networks foreign ads get injected into other peoples webpages. |
| 37 |
|
| 38 |
"Makes things slower / servers can't handle it" |
| 39 |
The performance costs for TLS on a server are often vastly overstatet. |
| 40 |
The performance hit on servers doing https is very close to zero, it |
| 41 |
just doesn't matter much. |
| 42 |
There are some latency problems for connections, but these can mostly |
| 43 |
be wiped out by a sane configuration of the server. If http/2 is used |
| 44 |
one can even improve the performance with https. |
| 45 |
|
| 46 |
"Certificates are too expensive" |
| 47 |
Gentoo already has certs for all pages, so this is not an argument |
| 48 |
here, but if this ever becomes an issue there are a number of CAs these |
| 49 |
days that issue free certs. In summer the community based CA Let's |
| 50 |
encrypt will start which will be another option. |
| 51 |
|
| 52 |
"CAs are bad and the whole system is broken" |
| 53 |
Partly true, but it doesn't get any better if people stick to HTTP. |
| 54 |
Many problems of the CA system can be mitigated by modern technologies |
| 55 |
like Key Pinning and Certificate Transparency. |
| 56 |
|
| 57 |
I think defaulting the net to HTTPS is a big step for more security and |
| 58 |
I think Gentoo should join the trend here. |
| 59 |
|
| 60 |
cu, |
| 61 |
|
| 62 |
-- |
| 63 |
Hanno Böck |
| 64 |
http://hboeck.de/ |
| 65 |
|
| 66 |
mail/jabber: hanno@××××××.de |
| 67 |
GPG: BBB51E42 |
Archives