On 8/22/16 7:41 PM, B.R. wrote: > The problem is, if the GPG key is served through HTTP, there is no > way to authenticate it, since it could be compromised through MITM. > I am very surprised to see myself being qualified as 'HTTPS despot' > when I just spot the obvious. > But it does not -- our PGP key distributed through a number of channels, including HTTPS. Problem solved, case closed?
> Compromised repository + GPG key is one very powerful way of > impersonating another product. > > TLS provides both encryption and authentication, based on the > initial shared circle of trust. > Thus you certify the GPG key is authentic and thus, if it verifies > the binaries, you ensure the delivered package are produced by the > owner of the key, in the end the real author. > > In 2016, stating that content served over HTTP is 'secure' blows my > mind and kills your credibility. > Who did that? What's his name? > Now, as Richard pointed out, if you truly believe you need to > provide HTTP-only, you can. It would be better if it was in a very > visible fashion, though. > Where was despotism, again? nginx.org already has HTTPS therefore it is not HTTP-only. > --- > *B. R.* > > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway > <r1ch+ng...@teamliquid.net <mailto:r1ch+ng...@teamliquid.net>> wrote: > > 1. You could provide insecure.nginx.org > <http://insecure.nginx.org> mirror for such people, make > nginx.org <http://nginx.org> secure by default. > > 2. Modern server CPUs are already extremely energy efficient, > TLS adds negligible load. See https://istlsfastyet.com/ > > > > On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev > <vb...@nginx.com <mailto:vb...@nginx.com>> wrote: > > On Sunday 21 August 2016 15:56:09 B.R. wrote: > > It is surprising, since I remember Ilya Grigorik made a talk about > TLS > > during the first ever nginx conf in 2014: > > https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU> > > https://istlsfastyet.com/ > > It's just Ilya's opinion. You are free to agree or not. > > > > > > Thus, there is no reason for not going full-HTTPS in delivering Web > pages. > > There are at least two reasons to not use HTTPS: > > 1. Provide easy access to information for people, who can't > use encryption > by political, legal, or technical reasons. > > 2. Don't waste resources on encryption, and thus save our > planet. > > Please, don't be a TLS despot and let people to have a > choice to use encryption > or not. > > I think the situation when I can't download new version of > OpenSSL using old > version of OpenSSL is ridiculous, but they have configured > openssl.org <http://openssl.org> that way. > How I supposed to use Internet then? > > wbr, Valentin V. Bartenev > -- Maxim Konovalov Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
