On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote: > On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote: > > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote: > >> > >> I'm all for HTTPS, but do we really want to outright *remove* > >> functionality from the site? Sure, HTTP isn't secure and all "modern" web > >> browsers support it. However, we would be making it harder for people to > >> learn about Freenet and potentially try it out. > >> > > > > Why? You could still access it over HTTP... and be presented with > > (transparent) redirect to the secure version. > > I just scratched an itch and discovered that even Lynx supports HTTPS? If it > really is the case that HTTPS has become so ubiquitous that users wouldn't be > affected, then sure, go ahead with it. > > HOWEVER: the question really needs to be restated. Are there any countries or > ISPs that are known to disallow secure communications? >
I can name plenty of countries filtering HTTP (starting by the UK, where I live); I'm not sure I can name a single one filtering HTTPS. Fundamentally, we can't prevent filtering... but we can prevent tampering of what we publish using cryptography. > >> In the end I think we should do what every major website does today: > >> encrypt the important data and let the entire site be accessible securely, > >> but don't force it onto people. > >> > >> -Daxter > > > > It's very difficult to do and most websites do it wrong. You have to think > > about mixed-content errors, cookie flags, ... > > > > Sending credentials in cleartext like we do on the wikis, with no secure > > alternative, is a disgrace. > > > > Florent > > > Can you give me an example of a website that in your mind does either the > mixed model or the secure-only model properly? It would be nice to compare > with them. > https://www.torproject.org/ does it properly (HTTPS everywhere) https://bugs.freenetproject.org/ does it properly https://www.trustmatta.com/ does it properly https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it properly (mixed content on the https version) http://www.laposte.net/ (major webmail provider in France) doesn't do it properly (form hosted over http) My bank's website doesn't do it properly (they don't set the 'secure' flag on their session cookie) ... I'm not short of examples; these are the open tabs in my browser right now. > Actually, the wiki supports HTTPS right now. You'll get a certificate error, > but it works. > Hmmff? If you get a certificate error it doesn't work. > While we're on the subject (as I've never bothered with HTTPS on the site > until now), turns out it's rather misconfigured. Both the wiki and the main > site return a certificate for emu.freenetproject.org? That address isn't > accessible--what was it, and shouldn't we get this fixed? > This certificat has X509v3 Subject Alternative Names. It should is valid for the following fqdns: emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, bugs.freenetproject.org, downloads.freenetproject.org Florent
