No HTTPS on nginx.org by default

rainer at ultra-secure.de rainer at ultra-secure.de
Mon Aug 22 15:58:47 UTC 2016


Am 2016-08-22 17:44, schrieb Maxim Konovalov:
> On 8/22/16 6:40 PM, Richard Stanway wrote:
>> 1. You could provide insecure.nginx.org <http://insecure.nginx.org>
>> mirror for such people, make nginx.org <http://nginx.org> secure by
>> default.
>> 
> No, thanks.  It is secure by default and HTTPS by default doesn't
> add any value.
> 
>> 2. Modern server CPUs are already extremely energy efficient, TLS
>> adds negligible load. See https://istlsfastyet.com/
>> 
> Sorry, failed to find any power consumption bechnmarks here.



Well, in theory, a nation-state or someone in a user's network-path 
could probably inject a trojaned binary/source-file (and also replace 
the content of the checksum-file etc.).

But it's IMO not worth arguing about these things.

Also, an asteroid could hit earth and everything could be over next 
week.

nginx doesn't provide an auto-update mechanism that stupidly downloads 
and accepts all and everything somebody makes available under some 
spoofed address.



More information about the nginx mailing list