Someone mentioned that Syria blocks HTTPS. and there are reports of Iran blocking HTTPS as well. I don't know if these reports are true however; it seems a little suicidal since it also means various services such as online banking aren't secure.
I'm of the mind that if HTTPS doesn't work then we shouldn't serve anything. Certain services do force HTTPS, and online stores / banks would be laughed at if they started offering "non-secure" transactions. "Certificate error" is the same as not working, yes. People who say "just click through the warning" deserve to get their bank details stolen. Do it in private if you want to take a risk, but don't advise others to do the same thing! X On 10/03/12 17:47, Florent Daigniere wrote: > On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote: >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote: >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote: >>>> >>>> I'm all for HTTPS, but do we really want to outright *remove* >>>> functionality from the site? Sure, HTTP isn't secure and all "modern" web >>>> browsers support it. However, we would be making it harder for people to >>>> learn about Freenet and potentially try it out. >>>> >>> >>> Why? You could still access it over HTTP... and be presented with >>> (transparent) redirect to the secure version. >> >> I just scratched an itch and discovered that even Lynx supports HTTPS? If it >> really is the case that HTTPS has become so ubiquitous that users wouldn't >> be affected, then sure, go ahead with it. >> >> HOWEVER: the question really needs to be restated. Are there any countries >> or ISPs that are known to disallow secure communications? >> > > I can name plenty of countries filtering HTTP (starting by the UK, where I > live); I'm not sure I can name a single one filtering HTTPS. > Fundamentally, we can't prevent filtering... but we can prevent tampering of > what we publish using cryptography. > > >>>> In the end I think we should do what every major website does today: >>>> encrypt the important data and let the entire site be accessible securely, >>>> but don't force it onto people. >>>> >>>> -Daxter >>> >>> It's very difficult to do and most websites do it wrong. You have to think >>> about mixed-content errors, cookie flags, ... >>> >>> Sending credentials in cleartext like we do on the wikis, with no secure >>> alternative, is a disgrace. >>> >>> Florent >> >> >> Can you give me an example of a website that in your mind does either the >> mixed model or the secure-only model properly? It would be nice to compare >> with them. >> > > https://www.torproject.org/ does it properly (HTTPS everywhere) > https://bugs.freenetproject.org/ does it properly > https://www.trustmatta.com/ does it properly > > > https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it > properly (mixed content on the https version) > http://www.laposte.net/ (major webmail provider in France) doesn't do it > properly (form hosted over http) > My bank's website doesn't do it properly (they don't set the 'secure' flag on > their session cookie) > ... > > I'm not short of examples; these are the open tabs in my browser right now. > >> Actually, the wiki supports HTTPS right now. You'll get a certificate error, >> but it works. >> > > Hmmff? If you get a certificate error it doesn't work. > >> While we're on the subject (as I've never bothered with HTTPS on the site >> until now), turns out it's rather misconfigured. Both the wiki and the main >> site return a certificate for emu.freenetproject.org? That address isn't >> accessible--what was it, and shouldn't we get this fixed? >> > > This certificat has X509v3 Subject Alternative Names. It should is valid for > the following fqdns: > emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, > bugs.freenetproject.org, downloads.freenetproject.org > > Florent > _______________________________________________ > Devl mailing list > Devl at freenetproject.org > http://freenetproject.org/cgi-bin/mailman/listinfo/devl -- GPG: 4096R/5FBBDBCE https://github.com/infinity0 https://bitbucket.org/infinity0 https://launchpad.net/~infinity0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120310/f00e836f/attachment.pgp>
