No HTTPS on nginx.org by default

Mon Aug 22 17:23:41 UTC 2016

See https://nginx.org/en/linux_packages.html#stable

PGP key links are hard coded to http URLs:

<p>
For Debian/Ubuntu, in order to authenticate the nginx repository signature
and to eliminate warnings about missing PGP key during installation of the
nginx package, it is necessary to add the key used to sign the nginx
packages and repository to the <code>apt</code> program keyring.
Please download <a href="http://nginx.org/keys/nginx_signing.key">this
key</a> from our web site, and add it to the <code>apt</code>
program keyring with the following command:
</p>

On Mon, Aug 22, 2016 at 7:19 PM, Maxim Konovalov <maxim at nginx.com> wrote:

> On 8/22/16 8:15 PM, Richard Stanway wrote:
> > Could you at least fix the https download page, so it doesn't
> > directly link to a HTTP PGP key?
> >
> It works correctly: https://nginx.org/en/download.html
>
> > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <maxim at nginx.com
> > <mailto:maxim at nginx.com>> wrote:
> >
> >     On 8/22/16 7:41 PM, B.R. wrote:
> >     > The problem is, if the GPG key is served through HTTP, there is no
> >     > way to authenticate it, since it could be compromised through
> >     MITM.
> >     > I am very surprised to see myself being qualified as 'HTTPS
> >     despot'
> >     > when I just spot the obvious.
> >     >
> >     But it does not -- our PGP key distributed through a number of
> >     channels, including HTTPS.  Problem solved, case closed?
> >
> >     > Compromised repository + GPG key is one very powerful way of
> >     > impersonating another product.
> >     >
> >     > TLS provides both encryption and authentication, based on the
> >     > initial shared circle of trust.
> >     > Thus you certify the GPG key is authentic and thus, if it verifies
> >     > the binaries, you ensure the delivered package are produced by the
> >     > owner of the key, in the end the real author.
> >     >
> >     > In 2016, stating that content served over HTTP is 'secure'
> >     blows my
> >     > mind and kills your credibility.
> >     >
> >     Who did that?  What's his name?
> >
> >     > Now, as Richard pointed out, if you truly believe you need to
> >     > provide HTTP-only, you can. It would be better if it was in a very
> >     > visible fashion, though.
> >     > Where was despotism, again?
> >
> >     nginx.org <http://nginx.org> already has HTTPS therefore it is
> >     not HTTP-only.
> >
> >     > ---
> >     > *B. R.*
> >     >
> >     > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway
> >     > <r1ch+nginx at teamliquid.net <mailto:r1ch%2Bnginx at teamliquid.net>
> >     <mailto:r1ch+nginx at teamliquid.net
> >     <mailto:r1ch%2Bnginx at teamliquid.net>>> wrote:
> >     >
> >     >     1. You could provide insecure.nginx.org <
> http://insecure.nginx.org>
> >     >     <http://insecure.nginx.org> mirror for such people, make
> >     >     nginx.org <http://nginx.org> <http://nginx.org> secure by
> >     default.
> >     >
> >     >     2. Modern server CPUs are already extremely energy efficient,
> >     >     TLS adds negligible load. See https://istlsfastyet.com/
> >     >
> >     >
> >     >
> >     >     On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev
> >     >     <vbart at nginx.com <mailto:vbart at nginx.com> <mailto:
> vbart at nginx.com
> >     <mailto:vbart at nginx.com>>> wrote:
> >     >
> >     >         On Sunday 21 August 2016 15:56:09 B.R. wrote:
> >     >         > It is surprising, since I remember Ilya Grigorik made a
> talk about TLS
> >     >         > during the first ever nginx conf in 2014:
> >     >         > https://www.youtube.com/watch?v=iHxD-G0YjiU
> >     <https://www.youtube.com/watch?v=iHxD-G0YjiU>
> >     >         <https://www.youtube.com/watch?v=iHxD-G0YjiU
> >     <https://www.youtube.com/watch?v=iHxD-G0YjiU>>
> >     >         > https://istlsfastyet.com/
> >     >
> >     >         It's just Ilya's opinion.  You are free to agree or not.
> >     >
> >     >
> >     >         >
> >     >         > Thus, there is no reason for not going full-HTTPS in
> delivering Web pages.
> >     >
> >     >         There are at least two reasons to not use HTTPS:
> >     >
> >     >          1. Provide easy access to information for people, who
> can't
> >     >         use encryption
> >     >             by political, legal, or technical reasons.
> >     >
> >     >          2. Don't waste resources on encryption, and thus save our
> >     >         planet.
> >     >
> >     >         Please, don't be a TLS despot and let people to have a
> >     >         choice to use encryption
> >     >         or not.
> >     >
> >     >         I think the situation when I can't download new version of
> >     >         OpenSSL using old
> >     >         version of OpenSSL is ridiculous, but they have configured
> >     >         openssl.org <http://openssl.org> <http://openssl.org>
> >     that way.
> >     >         How I supposed to use Internet then?
> >     >
> >     >           wbr, Valentin V. Bartenev
> >     >
> >
> >
> >     --
> >     Maxim Konovalov
> >     Join us at nginx.conf, Sept. 7-9, Austin, TX:
> >     http://nginx.com/nginxconf
> >
> >     _______________________________________________
> >     nginx mailing list
> >     nginx at nginx.org <mailto:nginx at nginx.org>
> >     http://mailman.nginx.org/mailman/listinfo/nginx
> >     <http://mailman.nginx.org/mailman/listinfo/nginx>
> >
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
>
>
> --
> Maxim Konovalov
> Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160822/e4eff338/attachment.html>