No HTTPS on nginx.org by default

Maxim Konovalov maxim at nginx.com
Mon Aug 22 17:30:42 UTC 2016 

On 8/22/16 8:23 PM, Richard Stanway wrote:
> See https://nginx.org/en/linux_packages.html#stable
> 
> PGP key links are hard coded to http URLs:
> 
> <p>
> For Debian/Ubuntu, in order to authenticate the nginx repository
> signature
> and to eliminate warnings about missing PGP key during installation
> of the
> nginx package, it is necessary to add the key used to sign the nginx
> packages and repository to the <code>apt</code> program keyring.
> Please download <a href="http://nginx.org/keys/nginx_signing.key">this
> key</a> from our web site, and add it to the <code>apt</code>
> program keyring with the following command:
> </p>
> 
Yes, I see.  It should be fixed.  Thanks.

> On Mon, Aug 22, 2016 at 7:19 PM, Maxim Konovalov <maxim at nginx.com
> <mailto:maxim at nginx.com>> wrote:
> 
>     On 8/22/16 8:15 PM, Richard Stanway wrote:
>     > Could you at least fix the https download page, so it doesn't
>     > directly link to a HTTP PGP key?
>     >
>     It works correctly: https://nginx.org/en/download.html
>     <https://nginx.org/en/download.html>
> 
>     > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <maxim at nginx.com <mailto:maxim at nginx.com>
>     > <mailto:maxim at nginx.com <mailto:maxim at nginx.com>>> wrote:
>     >
>     >     On 8/22/16 7:41 PM, B.R. wrote:
>     >     > The problem is, if the GPG key is served through HTTP,
>     there is no
>     >     > way to authenticate it, since it could be compromised
>     through
>     >     MITM.
>     >     > I am very surprised to see myself being qualified as 'HTTPS
>     >     despot'
>     >     > when I just spot the obvious.
>     >     >
>     >     But it does not -- our PGP key distributed through a number of
>     >     channels, including HTTPS.  Problem solved, case closed?
>     >
>     >     > Compromised repository + GPG key is one very powerful way of
>     >     > impersonating another product.
>     >     >
>     >     > TLS provides both encryption and authentication, based
>     on the
>     >     > initial shared circle of trust.
>     >     > Thus you certify the GPG key is authentic and thus, if
>     it verifies
>     >     > the binaries, you ensure the delivered package are
>     produced by the
>     >     > owner of the key, in the end the real author.
>     >     >
>     >     > In 2016, stating that content served over HTTP is 'secure'
>     >     blows my
>     >     > mind and kills your credibility.
>     >     >
>     >     Who did that?  What's his name?
>     >
>     >     > ​Now, as Richard pointed out, if you truly believe you
>     need to
>     >     > provide HTTP-only, you can. It would be better if it was
>     in a very
>     >     > visible fashion, though​.
>     >     > Where was despotism, again?
>     >
>     >     nginx.org <http://nginx.org> <http://nginx.org> already
>     has HTTPS therefore it is
>     >     not HTTP-only.
>     >
>     >     > ---
>     >     > *B. R.*
>     >     >
>     >     > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway
>     >     > <r1ch+nginx at teamliquid.net
>     <mailto:r1ch%2Bnginx at teamliquid.net>
>     <mailto:r1ch%2Bnginx at teamliquid.net
>     <mailto:r1ch%252Bnginx at teamliquid.net>>
>     >     <mailto:r1ch+nginx at teamliquid.net
>     <mailto:r1ch%2Bnginx at teamliquid.net>
>     >     <mailto:r1ch%2Bnginx at teamliquid.net
>     <mailto:r1ch%252Bnginx at teamliquid.net>>>> wrote:
>     >     >
>     >     >     1. You could provide insecure.nginx.org <http://insecure.nginx.org>
>     <http://insecure.nginx.org>
>     >     >     <http://insecure.nginx.org> mirror for such people, make
>     >     >     nginx.org <http://nginx.org> <http://nginx.org>
>     <http://nginx.org> secure by
>     >     default.
>     >     >
>     >     >     2. Modern server CPUs are already extremely energy efficient,
>     >     >     TLS adds negligible load. See https://istlsfastyet.com/
>     >     >
>     >     >
>     >     >
>     >     >     On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev
>     >     >     <vbart at nginx.com <mailto:vbart at nginx.com>
>     <mailto:vbart at nginx.com <mailto:vbart at nginx.com>>
>     <mailto:vbart at nginx.com <mailto:vbart at nginx.com>
>     >     <mailto:vbart at nginx.com <mailto:vbart at nginx.com>>>> wrote:
>     >     >
>     >     >         On Sunday 21 August 2016 15:56:09 B.R. wrote:
>     >     >         > It is surprising, since I remember Ilya Grigorik made a talk about TLS
>     >     >         > during the first ever nginx conf in 2014:
>     >     >         > https://www.youtube.com/watch?v=iHxD-G0YjiU
>     <https://www.youtube.com/watch?v=iHxD-G0YjiU>
>     >     <https://www.youtube.com/watch?v=iHxD-G0YjiU
>     <https://www.youtube.com/watch?v=iHxD-G0YjiU>>
>     >     >         <https://www.youtube.com/watch?v=iHxD-G0YjiU
>     <https://www.youtube.com/watch?v=iHxD-G0YjiU>
>     >     <https://www.youtube.com/watch?v=iHxD-G0YjiU
>     <https://www.youtube.com/watch?v=iHxD-G0YjiU>>>
>     >     >         > https://istlsfastyet.com/
>     >     >
>     >     >         It's just Ilya's opinion.  You are free to agree or not.
>     >     >
>     >     >
>     >     >         >
>     >     >         > Thus, there is no reason for not going full-HTTPS in delivering Web pages.
>     >     >
>     >     >         There are at least two reasons to not use HTTPS:
>     >     >
>     >     >          1. Provide easy access to information for people, who can't
>     >     >         use encryption
>     >     >             by political, legal, or technical reasons.
>     >     >
>     >     >          2. Don't waste resources on encryption, and thus save our
>     >     >         planet.
>     >     >
>     >     >         Please, don't be a TLS despot and let people to have a
>     >     >         choice to use encryption
>     >     >         or not.
>     >     >
>     >     >         I think the situation when I can't download new version of
>     >     >         OpenSSL using old
>     >     >         version of OpenSSL is ridiculous, but they have configured
>     >     >         openssl.org <http://openssl.org>
>     <http://openssl.org> <http://openssl.org>
>     >     that way.
>     >     >         How I supposed to use Internet then?
>     >     >
>     >     >           wbr, Valentin V. Bartenev
>     >     >
>     >
>     >
>     >     --
>     >     Maxim Konovalov
>     >     Join us at nginx.conf, Sept. 7-9, Austin, TX:
>     >     http://nginx.com/nginxconf
>     >
>     >     _______________________________________________
>     >     nginx mailing list
>     >     nginx at nginx.org <mailto:nginx at nginx.org> <mailto:nginx at nginx.org
>     <mailto:nginx at nginx.org>>
>     >     http://mailman.nginx.org/mailman/listinfo/nginx
>     <http://mailman.nginx.org/mailman/listinfo/nginx>
>     >     <http://mailman.nginx.org/mailman/listinfo/nginx
>     <http://mailman.nginx.org/mailman/listinfo/nginx>>
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > nginx mailing list
>     > nginx at nginx.org <mailto:nginx at nginx.org>
>     > http://mailman.nginx.org/mailman/listinfo/nginx
>     <http://mailman.nginx.org/mailman/listinfo/nginx>
>     >
> 
> 
>     --
>     Maxim Konovalov
>     Join us at nginx.conf, Sept. 7-9, Austin, TX:
>     http://nginx.com/nginxconf
> 
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org <mailto:nginx at nginx.org>
>     http://mailman.nginx.org/mailman/listinfo/nginx
>     <http://mailman.nginx.org/mailman/listinfo/nginx>
> 
> 
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 


-- 
Maxim Konovalov
Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf

More information about the nginx mailing list