No HTTPS on nginx.org by default
rainer at ultra-secure.de
rainer at ultra-secure.de
Mon Aug 22 15:58:47 UTC 2016
Am 2016-08-22 17:44, schrieb Maxim Konovalov:
> On 8/22/16 6:40 PM, Richard Stanway wrote:
>> 1. You could provide insecure.nginx.org <http://insecure.nginx.org>
>> mirror for such people, make nginx.org <http://nginx.org> secure by
>> default.
>>
> No, thanks. It is secure by default and HTTPS by default doesn't
> add any value.
>
>> 2. Modern server CPUs are already extremely energy efficient, TLS
>> adds negligible load. See https://istlsfastyet.com/
>>
> Sorry, failed to find any power consumption bechnmarks here.
Well, in theory, a nation-state or someone in a user's network-path
could probably inject a trojaned binary/source-file (and also replace
the content of the checksum-file etc.).
But it's IMO not worth arguing about these things.
Also, an asteroid could hit earth and everything could be over next
week.
nginx doesn't provide an auto-update mechanism that stupidly downloads
and accepts all and everything somebody makes available under some
spoofed address.
More information about the nginx
mailing list