Hello, I noticed that the PGP key used for signing the Debian release packages recently expired. I went to download the new one and noticed that nginx.org wasn't using HTTPS by default. Manually entering a https URL works as expected, although some pages have hard coded http links in them.
Is there a reason that the website isn't using HTTPS and STS / HPKP? It would help mitigate potential MITM attacks especially on precompiled binaries and PGP key downloads.
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
