| 1 |
On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote: |
| 2 |
> > Right now we seem to have a mix: |
| 3 |
> > * A number of webpages default to http and have optional https |
| 4 |
> > (www.gentoo.org) |
| 5 |
> > * Some with sensitive logins are already https by default (e.g. |
| 6 |
> > bugs.gentoo.org), but they don't use hsts, which they should |
| 7 |
> > * Some with logins are mixed http/login-via-https, which makes them |
| 8 |
> > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) |
| 9 |
> Don't forget the forum (http://forums.gentoo.org/). Even if you connect |
| 10 |
> to https://forums.gentoo.org/ it will always fall back to HTTP. |
| 11 |
I can't reproduce this downgrade that you describe; please provide some |
| 12 |
steps to show it? |
| 13 |
|
| 14 |
-- |
| 15 |
Robin Hugh Johnson |
| 16 |
Gentoo Linux: Developer, Infrastructure Lead |
| 17 |
E-Mail : robbat2@g.o |
| 18 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives