No HTTPS on nginx.org by default

Richard Stanway r1ch+nginx at teamliquid.net
Mon Aug 22 17:15:21 UTC 2016


Could you at least fix the https download page, so it doesn't directly link
to a HTTP PGP key?

On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <maxim at nginx.com> wrote:

> On 8/22/16 7:41 PM, B.R. wrote:
> > The problem is, if the GPG key is served through HTTP, there is no
> > way to authenticate it, since it could be compromised through MITM.
> > I am very surprised to see myself being qualified as 'HTTPS despot'
> > when I just spot the obvious.
> >
> But it does not -- our PGP key distributed through a number of
> channels, including HTTPS.  Problem solved, case closed?
>
> > Compromised repository + GPG key is one very powerful way of
> > impersonating another product.
> >
> > TLS provides both encryption and authentication, based on the
> > initial shared circle of trust.
> > Thus you certify the GPG key is authentic and thus, if it verifies
> > the binaries, you ensure the delivered package are produced by the
> > owner of the key, in the end the real author.
> >
> > In 2016, stating that content served over HTTP is 'secure' blows my
> > mind and kills your credibility.
> >
> Who did that?  What's his name?
>
> > ​Now, as Richard pointed out, if you truly believe you need to
> > provide HTTP-only, you can. It would be better if it was in a very
> > visible fashion, though​.
> > Where was despotism, again?
>
> nginx.org already has HTTPS therefore it is not HTTP-only.
>
> > ---
> > *B. R.*
> >
> > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway
> > <r1ch+nginx at teamliquid.net <mailto:r1ch+nginx at teamliquid.net>> wrote:
> >
> >     1. You could provide insecure.nginx.org
> >     <http://insecure.nginx.org> mirror for such people, make
> >     nginx.org <http://nginx.org> secure by default.
> >
> >     2. Modern server CPUs are already extremely energy efficient,
> >     TLS adds negligible load. See https://istlsfastyet.com/
> >
> >
> >
> >     On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev
> >     <vbart at nginx.com <mailto:vbart at nginx.com>> wrote:
> >
> >         On Sunday 21 August 2016 15:56:09 B.R. wrote:
> >         > It is surprising, since I remember Ilya Grigorik made a talk
> about TLS
> >         > during the first ever nginx conf in 2014:
> >         > https://www.youtube.com/watch?v=iHxD-G0YjiU
> >         <https://www.youtube.com/watch?v=iHxD-G0YjiU>
> >         > https://istlsfastyet.com/
> >
> >         It's just Ilya's opinion.  You are free to agree or not.
> >
> >
> >         >
> >         > Thus, there is no reason for not going full-HTTPS in
> delivering Web pages.
> >
> >         There are at least two reasons to not use HTTPS:
> >
> >          1. Provide easy access to information for people, who can't
> >         use encryption
> >             by political, legal, or technical reasons.
> >
> >          2. Don't waste resources on encryption, and thus save our
> >         planet.
> >
> >         Please, don't be a TLS despot and let people to have a
> >         choice to use encryption
> >         or not.
> >
> >         I think the situation when I can't download new version of
> >         OpenSSL using old
> >         version of OpenSSL is ridiculous, but they have configured
> >         openssl.org <http://openssl.org> that way.
> >         How I supposed to use Internet then?
> >
> >           wbr, Valentin V. Bartenev
> >
>
>
> --
> Maxim Konovalov
> Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160822/8abf6441/attachment.html>


More information about the nginx mailing list