No HTTPS on nginx.org by default

B.R. reallfqq-nginx at yahoo.fr
Mon Aug 22 16:41:50 UTC 2016


The problem is, if the GPG key is served through HTTP, there is no way to
authenticate it, since it could be compromised through MITM.
I am very surprised to see myself being qualified as 'HTTPS despot' when I
just spot the obvious.

Compromised repository + GPG key is one very powerful way of impersonating
another product.

TLS provides both encryption and authentication, based on the initial
shared circle of trust.
Thus you certify the GPG key is authentic and thus, if it verifies the
binaries, you ensure the delivered package are produced by the owner of the
key, in the end the real author.

In 2016, stating that content served over HTTP is 'secure' blows my mind
and kills your credibility.

​Now, as Richard pointed out, if you truly believe you need to provide
HTTP-only, you can. It would be better if it was in a very visible fashion,
though​.
Where was despotism, again?
---
*B. R.*

On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway <r1ch+nginx at teamliquid.net>
wrote:

> 1. You could provide insecure.nginx.org mirror for such people, make
> nginx.org secure by default.
>
> 2. Modern server CPUs are already extremely energy efficient, TLS adds
> negligible load. See https://istlsfastyet.com/
>
>
>
> On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev <vbart at nginx.com>
> wrote:
>
>> On Sunday 21 August 2016 15:56:09 B.R. wrote:
>> > It is surprising, since I remember Ilya Grigorik made a talk about TLS
>> > during the first ever nginx conf in 2014:
>> > https://www.youtube.com/watch?v=iHxD-G0YjiU
>> > https://istlsfastyet.com/
>>
>> It's just Ilya's opinion.  You are free to agree or not.
>>
>>
>> >
>> > Thus, there is no reason for not going full-HTTPS in delivering Web
>> pages.
>>
>> There are at least two reasons to not use HTTPS:
>>
>>  1. Provide easy access to information for people, who can't use
>> encryption
>>     by political, legal, or technical reasons.
>>
>>  2. Don't waste resources on encryption, and thus save our planet.
>>
>> Please, don't be a TLS despot and let people to have a choice to use
>> encryption
>> or not.
>>
>> I think the situation when I can't download new version of OpenSSL using
>> old
>> version of OpenSSL is ridiculous, but they have configured openssl.org
>> that way.
>> How I supposed to use Internet then?
>>
>>   wbr, Valentin V. Bartenev
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160822/bfc07a3b/attachment.html>


More information about the nginx mailing list