Hi, Right now a number of Gentoo webpages are by default served over http. There is a growing trend to push more webpages to default to https, mostly pushed by google. I think this is a good thing and I think Gentoo should follow.
Right now we seem to have a mix: * A number of webpages default to http and have optional https (www.gentoo.org) * Some with sensitive logins are already https by default (e.g. bugs.gentoo.org), but they don't use hsts, which they should * Some with logins are mixed http/login-via-https, which makes them vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) I'd propose the following: * Make all pages under .gentoo.org https by default * Make sure all use modern HTTPS features, including: * OCSP Stapling * HSTS * A secure collection of cipher suites * (one may add HPKP here, but it requires careful planning and has the potential to lock people out of the page if done wrong) (On the long term I think it would also be good to have downloads over https, but I'm aware that this is more difficult as it involves mirror operators that are not under direct control of gentoo infrastructure.) As I know these discussions, I'll already answer to some counter-arguments that may come up: "It's not neccessary to do https on pages without logins" These kinds of arguments show a fundamental misunderstanding of what https does. It guarantees confidentiality *and* integrity. In short, it protects content not only from observation, but also from manipulation, which is always a good thing. A very practical example is that on some networks foreign ads get injected into other peoples webpages. "Makes things slower / servers can't handle it" The performance costs for TLS on a server are often vastly overstatet. The performance hit on servers doing https is very close to zero, it just doesn't matter much. There are some latency problems for connections, but these can mostly be wiped out by a sane configuration of the server. If http/2 is used one can even improve the performance with https. "Certificates are too expensive" Gentoo already has certs for all pages, so this is not an argument here, but if this ever becomes an issue there are a number of CAs these days that issue free certs. In summer the community based CA Let's encrypt will start which will be another option. "CAs are bad and the whole system is broken" Partly true, but it doesn't get any better if people stick to HTTP. Many problems of the CA system can be mitigated by modern technologies like Key Pinning and Certificate Transparency. I think defaulting the net to HTTPS is a big step for more security and I think Gentoo should join the trend here. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
