<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">The problem is, if the GPG key is served through HTTP, there is no way to authenticate it, since it could be compromised through MITM.<br>I am very surprised to see myself being qualified as 'HTTPS despot' when I just spot the obvious.<br><br>Compromised repository + GPG key is one very powerful way of impersonating another product.<br><br>TLS provides both encryption and authentication, based on the initial shared circle of trust.<br>Thus you certify the GPG key is authentic and thus, if it verifies the binaries, you ensure the delivered package are produced by the owner of the key, in the end the real author.<br><br>In 2016, stating that content served over HTTP is 'secure' blows my mind and kills your credibility.<br></div><div class="gmail_extra"><br><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Now, as Richard pointed out, if you truly believe you need to provide HTTP-only, you can. It would be better if it was in a very visible fashion, though.<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Where was despotism, again?<br></div><div><div class="gmail_signature" data-smartmail="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway <span dir="ltr"><<a href="mailto:r1ch+nginx@teamliquid.net" target="_blank">r1ch+nginx@teamliquid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>1. You could provide <a href="http://insecure.nginx.org" target="_blank">insecure.nginx.org</a> mirror for such people, make <a href="http://nginx.org" target="_blank">nginx.org</a> secure by default.<br></div><div><br></div><div>2. Modern server CPUs are already extremely energy efficient, TLS adds negligible load. See <a href="https://istlsfastyet.com/" target="_blank">https://istlsfastyet.com/</a></div><div><div class="h5"><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev <span dir="ltr"><<a href="mailto:vbart@nginx.com" target="_blank">vbart@nginx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On Sunday 21 August 2016 15:56:09 B.R. wrote:<br>
> It is surprising, since I remember Ilya Grigorik made a talk about TLS<br>
> during the first ever nginx conf in 2014:<br>
> <a href="https://www.youtube.com/watch?v=iHxD-G0YjiU" rel="noreferrer" target="_blank">https://www.youtube.com/watch?<wbr>v=iHxD-G0YjiU</a><br>
> <a href="https://istlsfastyet.com/" rel="noreferrer" target="_blank">https://istlsfastyet.com/</a><br>
<br>
</span>It's just Ilya's opinion. You are free to agree or not.<br>
<span><br>
<br>
><br>
> Thus, there is no reason for not going full-HTTPS in delivering Web pages.<br>
<br>
</span>There are at least two reasons to not use HTTPS:<br>
<br>
1. Provide easy access to information for people, who can't use encryption<br>
by political, legal, or technical reasons.<br>
<br>
2. Don't waste resources on encryption, and thus save our planet.<br>
<br>
Please, don't be a TLS despot and let people to have a choice to use encryption<br>
or not.<br>
<br>
I think the situation when I can't download new version of OpenSSL using old<br>
version of OpenSSL is ridiculous, but they have configured <a href="http://openssl.org" rel="noreferrer" target="_blank">openssl.org</a> that way.<br>
How I supposed to use Internet then?<br>
<br>
wbr, Valentin V. Bartenev<br>
<div><div><br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div></div></div></div>
<br>______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br></div></div>