No HTTPS on nginx.org by default
daniel at mostertman.org
Tue Aug 23 14:31:43 UTC 2016
On 2016-08-23 15:31, Maxim Konovalov wrote:
> Let me repeat: nginx.org supports HTTPS.
> I don't think it adds any measurable security here but it's matter
> of religion but you can use it for free if you think it does.
Although it would be chique if nginx.org would advertise a HSTS-header
so that next requests are over HTTPS if a browser supports it.
You could also opt to add it to the HSTS-preload database, which works
in all major browsers. Even the initial request goes to HTTPS then.
Numerous reasons to support the unencrypted version have already been
given, and (high) encryption is offered.
In my opinion you should offer encrypted and unencrypted over the same
address, and use technologies like these to make capable browsers that
prefer encryption, use that by default through this way.
Do not simply force encryption on the main site, there's simply no need
in this day and age. A lot of companies have thought about this before,
including major browser developers.
Since those are the ones we serve websites too, it shouldn't take too
much effort to convince people that they might have a point with doing
it this way.
You can also consider enabling DNSSEC-support for nginx.org, which also
makes your recursors able to validate nginx.org (and therefore downloads
and signature validation from).
You can then also mitigate MITM attacks, without encryption enabled.
As for speed, TLS with nginx is pretty fast, especially with other
technologies to quickly push through more requests.
Not same level as unencrypted connections, but it's -certainly with
hardware AES-support in most CPU's- not that big of a deal anymore for
Just my € 0,02
More information about the nginx