On Fri, Jan 07, 2022 at 01:42:40AM +0000, Antonio Leding <t...@leding.net> wrote:
> Not sure if this is a question for the community or just the devs but one of > the credos this user swears by is “If it isn’t broken, then don’t go fixin’ > it…” > > There’s this FUD out there that all sites MUST be https. Of course I > disagree with this sentiment but perhaps there is something I’m missing. > > So, to the community: What is gained by requiring postfix.org to use https? <opinions> I doubt that anyone can require this (other than Wietse of course). Supporting HTTPS is supposed to make Google rank a page higher, but any Google search for Postfix will show www.postfix.org as the first search result anyway, so that's not a gain. It also prevents some browsers from indicating that a site is "insecure", but anyone going directly to www.postfix.org will know better than to worry about that. Confidentiality isn't important since it's publicly available software. The only thing that is truly gained is Integrity: the assurance that there's no man-in-the-middle attack between you and the site modifying data en route. But if you think someone will trick you into downloading a false version of the Postfix software, you can check the signature. Or download it from one of the mirror sites that do HTTPS, and then check the signature. Or install it via your system's package manager which will automatically check the package's signature. So no gain there. Being flippant, it would protect against a man-in-the-middle-attack where someone tricks you into reading false online documentation. :-) Having said all that, I doubt that there's much harm in it these days (except when root CAs expire of course, and plain HTTP access has been turned off). :-) Less flippantly, confidentiality and integrity do matter in general. That's why Google encourages HTTPS, and why LetsEncrypt exists. For many sites, it really does matter. For others, it's not that important. But it's the better default preference. </opinions> cheers, raf
