Making TLS/SSL optional

Show/hide message thread

Making TLS/SSL optional Lassi Kortela (23 Aug 2022 07:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (23 Aug 2022 10:40 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 16:51 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:12 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 17:37 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (24 Aug 2022 19:38 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 14:22 UTC)

Re: Making TLS/SSL optional Magnus Ahltorp (24 Aug 2022 16:57 UTC)

Making TLS/SSL optional Lassi Kortela 23 Aug 2022 07:44 UTC

TLS is widely touted as securing the web. This year I've heard some
compelling arguments that this is false advertising.

Here's a good summary of the issues that are readily understandable:
http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

I'll omit the deeper issues since they are controversial and require
some background; email me if you want to hear about them.

The upshot for Scheme.org is that TLS is a standard which we must
support. But that doesn't mean we must _require_ it. I think we should
continue to offer plain unencrypted HTTP access. That should be
relatively uncontroversial for most of our sites, which host technical
content that is readily available to the world from public git repos.

However, some of our sites will have a login feature. Currently the only
one is Gitea but there will probably be more. Perhaps these should
continue to require TLS so that passwords are not sent in the clear?