Op zondag 20 juli 2014 13:52:20 schreef Peter Palfrader: > On Sun, 20 Jul 2014, Wouter Verhelst wrote: > > These are all good arguments for enabling HTTPS and making it the > > default (which I've said repeatedly is a move that I support, or at the > > very least don't oppose), but not for *disabling* the possibility of > > plain HTTP. > > Pray tell: How do you make it default.
- Enable HSTS on the domain - Run "sed -i -e 's,http://people.debian.org,https://people.debian.org,g'" over a webwml export. - Create a robots.txt file which is visible from the HTTP export (but not from the HTTPS one) which looks like this: User-Agent: * Disallow: / With those three easy steps, the only URLs that people will ever find will be HTTPS URLs. 99% of your traffic will be HTTPS traffic, and that will be a good thing. Yet when necessary, doing unencrypted HTTP will still be possible. It still misses something like step 2 for wiki.debian.org and "all other stuff out there", but because of step 1 that shouldn't be *too* much of a problem. This will also help in, say, the (granted, hypothetical) scenario where a package in unstable breaks the system so badly that downloading files over HTTPS is no longer possible and a maintainer wants to post a (GPG-signed) patch over on http://people.debian.org -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4187590.a2xdfsn...@grep.be
