Hi, Hanno Böck wrote: > Right now a number of Gentoo webpages are by default served over http. > There is a growing trend to push more webpages to default to https, > mostly pushed by google. I think this is a good thing and I think > Gentoo should follow.
+1 > Right now we seem to have a mix: > * A number of webpages default to http and have optional https > (www.gentoo.org) > * Some with sensitive logins are already https by default (e.g. > bugs.gentoo.org), but they don't use hsts, which they should > * Some with logins are mixed http/login-via-https, which makes them > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) Don't forget the forum (http://forums.gentoo.org/). Even if you connect to https://forums.gentoo.org/ it will always fall back to HTTP. Also all the mail notifications will send you to the HTTP version... -Thomas
