Re: Making TLS/SSL optional

Show/hide message thread

Making TLS/SSL optional Lassi Kortela (23 Aug 2022 07:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (23 Aug 2022 10:40 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 16:51 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:12 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 17:37 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (24 Aug 2022 19:38 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 14:22 UTC)

Re: Making TLS/SSL optional Magnus Ahltorp (24 Aug 2022 16:57 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann 23 Aug 2022 10:40 UTC

Show/hide attachments

> Here's a good summary of the issues that are readily understandable:
> http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

The arguments could be better:

- Baseline Requirements are a thing and required for CAs to fulfill
  before they can be included into trust stores. Certificate
  Transparency is used to monitor issuing of new certificates and detect
  compromises.
- It doesn't merely provide confidentiality, but also ensures integrity
  of whatever I download (provided I'm not on corporate network and
  install their root CA). This is a low-effort way of ensuring third
  parties on the network can mess with something like packages downloaded
  via snow/akku. A workaround would be to use cryptographic signing, but
  that's a far bigger can of worms to get right.
- Let's Encrypt turned out to work just fine since that blog post. They
  support wildcards, though they require a DNS challenge. Mind you,
  wildcards are not recommended to be used (the argument is that a
  compromise of a server would allow serving arbitrary subdomains).

That leaves the argument that browser makers lock out features for
websites not using HTTPS, thereby raising the overall barrier to entry.
This is the only one I sympathize with. There should be no need to set
up HTTPS locally to do web development.

> The upshot for Scheme.org is that TLS is a standard which we must
> support.  But that doesn't mean we must _require_ it. I think we
> should continue to offer plain unencrypted HTTP access. That should be
> relatively uncontroversial for most of our sites, which host technical
> content that is readily available to the world from public git repos.

call-cc.org operates on this principle (the main reason being that
`chicken-install` has minimal dependencies and therefore cannot depend
on a TLS library), but had to do a lot of editing to use relative (when
referring to content on the same domain) or protocol-relative URLs (when
referring to content on a different domain/subdomain). Some people have
a policy of preferring https:// URLs whenever possible and the browser
not automatically redirecting them makes that more annoying.

> However, some of our sites will have a login feature. Currently the
> only one is Gitea but there will probably be more. Perhaps these
> should continue to require TLS so that passwords are not sent in the
> clear?

I'd still keep using TLS for delivery of source code meant to be
installed on other people's machines (like tarballs on snow/akku). I've
considered researching how hard it would be to pull off a MITM scenario
on package managers/repositories in the Emacs/Scheme/CL ecosystems, I
guess not terribly. Whether it makes sense to actively invest time into
it, no idea. What are your thoughts on this?