-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi, I see that HTTPS was enabled for www.debian.org https://lists.debian.org/debian-www/2014/02/msg00041.html Could you please also set HSTS (HTTP Strict Transport Security) for www.debian.org ? HSTS will help to protect users from SSL-stripping attacks. This can be done on Apache using: # load module (example using [RHEL]) LoadModule headers_module modules/mod_headers.so <VirtualHost 10.0.0.1:443> # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </VirtualHost> Please consider also getting a SSL certificate for your subdomain search.debian.org. There is a very good talk from Adam Langley (the engineer behind Google’s HTTPS serving infrastructure and Google Chrome’s network stack) about securing web sited with HTTPS: HOPE number 9 (2012) | 2600 - The State of HTTPS https://www.youtube.com/watch?v=LBbCec4Bp10 Milan On 23.10.2013 14:29, Milan Kral wrote: > It would useful to have HTTPS because of the wide spread mass surveillance > https://en.wikipedia.org/wiki/2013_mass_surveillance_disclosures#.22Mastering_the_Internet.22 > https://en.wikipedia.org/wiki/Bullrun_%28code_name%29 > >> ** Tue, 01 Oct 2013 14:26:53 +0200 - [email protected], "Gerfried Fuchs" <[email protected]> ** >> >> HTTPS makes MiTM attacks harder. There is important information >> on www.debian.org which should be protected against modification. >> For example GPG fingerprints: http://www.debian.org/CD/verify >> >> Of course GPG keys should be checked using Web of Trust, but >> HTTPS could be the first layer of protection. From the user >> point of view it's automatic and transparent. >> >> keyring.debian.org doesn't support HTTPS ... >> >> >>> ** Tue, 1 Oct 2013 13:59:28 +0200 - [email protected], "Gerfried Fuchs" <[email protected]> ** >>> >>> * milan.kral <[email protected]> [2013-10-01 13:34:05 CEST]: >>>> www.debian.org is important main Debian web page, but it doesn't >>>> support https. Could it be possible to enable HTTPS? For example >>>> lists.debian.org, wiki.debian.org support HTTPS. >>> >>> Because on lists.debian.org you have subscribe information, handing >>> over email addresses that you might not want to get eavesdropped, and on >>> wiki you have login information that you clearly don't want to have go >>> unencrypted over the wire. >>> >>> What information you consider exchanging with www.debian.org that you >>> consider sensitive and needing https? "Because we can" doesn't sound >>> very convincing to me. :) >>> >>> Enjoy! >>> Rhonda >>> -- >>> Fühlst du dich mutlos, fass endlich Mut, los | >>> Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden >>> Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang >>> Fühlst du dich haltlos, such Halt und lass los | -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJTJtBAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxQUY0RDVDMjhBOEQ2RkM3RjEwOUI1MzQ5 QzIzRDIwRkJGNTk0NTFFAAoJEJwj0g+/WUUetWAP/24nyFhfeCCmOkfQS80nB7C9 TVn/mt+Cvw3Vxbd4puQd0S1/tCwqtUIgbABoPrw+ugiVPQlPHzKtS6x4pnf+4LQ0 l3FFW+gug2mlRJ1Rt0r8B+OWboWQntCuE6dU7yGSyIwtJGYPVDEMJ27a9+cFuFDn 1q7Q6kUIxNrV07nmc+i0h6JXDTPXsdJJPJ6h9tPXUBEotgPFkKQwhbiXKLfXf2FT 6qsaRGJxRpn/QDneF3J97viLtGS7Xnb3rzhfCENgO7ZMeBqKCsWvAxxHbjbuoPD5 Ev1x50gETqOd8UhLTQQ7jz3PW/qewSFG28VubaKQNPfHVy99/4ryKJ5g4+je0O6g 9NKy6Wk0gZ8L+jwW2uJghPOdYE5nJ9alNL+cY0EN6GdRv8aPi5dVC6krtC4Y4x9X BIcb/ENTEzWkG2ZDaI/hvEUKzRZjR4mfV2jlR/Q5m2n95aSPOwQJ+rGTuZ6pyKLp IrxJBSTnE8Ch9Nq/d7EvxAdTirWv1ZFlHvaJoRdnycMkecDNZHRrGl9v8AfKs8iW nyUvNa9mm/gWth3RwlR4JZZUFHy7IcVJ6K92ZbhxWUU7HnIXMwUFBhfc0OB271rM aPbwH87Fm0EYCXnmTPC9ykludCCdh70jurD7/1jauRo69ebnKtuYiGxQ0Qq517Ey qHOqWLJhSgZzXditrcQc =8Mer -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
