No HTTPS on by default

Daniël Mostertman daniel at
Tue Aug 23 14:31:43 UTC 2016

On 2016-08-23 15:31, Maxim Konovalov wrote:
> Let me repeat: supports HTTPS.
> I don't think it adds any measurable security here but it's matter
> of religion but you can use it for free if you think it does.

Although it would be chique if would advertise a HSTS-header 
so that next requests are over HTTPS if a browser supports it.
You could also opt to add it to the HSTS-preload database, which works 
in all major browsers. Even the initial request goes to HTTPS then.

Numerous reasons to support the unencrypted version have already been 
given, and (high) encryption is offered.
In my opinion you should offer encrypted and unencrypted over the same 
address, and use technologies like these to make capable browsers that 
prefer encryption, use that by default through this way.
Do not simply force encryption on the main site, there's simply no need 
in this day and age. A lot of companies have thought about this before, 
including major browser developers.

Since those are the ones we serve websites too, it shouldn't take too 
much effort to convince people that they might have a point with doing 
it this way.

You can also consider enabling DNSSEC-support for, which also 
makes your recursors able to validate (and therefore downloads 
and signature validation from).
You can then also mitigate MITM attacks, without encryption enabled.

As for speed, TLS with nginx is pretty fast, especially with other 
technologies to quickly push through more requests.
Not same level as unencrypted connections, but it's -certainly with 
hardware AES-support in most CPU's- not that big of a deal anymore for 
most sites.

Just my € 0,02

More information about the nginx mailing list