|
Making TLS/SSL optional Lassi Kortela (23 Aug 2022 07:44 UTC)
|
|
Re: Making TLS/SSL optional
Vasilij Schneidermann
(23 Aug 2022 10:40 UTC)
|
|
Re: Making TLS/SSL optional
Lassi Kortela
(23 Aug 2022 16:51 UTC)
|
|
Re: Making TLS/SSL optional
Arthur A. Gleckler
(23 Aug 2022 17:12 UTC)
|
|
Re: Making TLS/SSL optional
Lassi Kortela
(23 Aug 2022 17:37 UTC)
|
|
Re: Making TLS/SSL optional
Arthur A. Gleckler
(23 Aug 2022 17:43 UTC)
|
|
Re: Making TLS/SSL optional
Vasilij Schneidermann
(24 Aug 2022 19:38 UTC)
|
|
Re: Making TLS/SSL optional
Arthur A. Gleckler
(23 Aug 2022 14:21 UTC)
|
|
Re: Making TLS/SSL optional
Magnus Ahltorp
(24 Aug 2022 16:57 UTC)
|
Making TLS/SSL optional Lassi Kortela 23 Aug 2022 07:44 UTC
TLS is widely touted as securing the web. This year I've heard some compelling arguments that this is false advertising. Here's a good summary of the issues that are readily understandable: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/ I'll omit the deeper issues since they are controversial and require some background; email me if you want to hear about them. The upshot for Scheme.org is that TLS is a standard which we must support. But that doesn't mean we must _require_ it. I think we should continue to offer plain unencrypted HTTP access. That should be relatively uncontroversial for most of our sites, which host technical content that is readily available to the world from public git repos. However, some of our sites will have a login feature. Currently the only one is Gitea but there will probably be more. Perhaps these should continue to require TLS so that passwords are not sent in the clear?