On Sun, 26 Nov 2017 16:51:53 +0100, David Runge wrote: >> Not that much, since even when additionally using TOR, privacy isn't >> ensured without exceptions, >> https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting . >That of course is also true and thanks for pointing it out. >When writing, I was more thinking of subdomains hosting applications, >that require authentication (then seeing, that e.g. >{lists,wiki}.linuxaudio.org already facilitate letsencrypt certs). > >Of course, given the right tools and infrastructure, it gets >increasingly harder to achieve some form of privacy. >However, that's no reason not to aim for the maximum amount thereof. > >In any case (unless your ssl is broken) and however one wants to turn >it: It is beneficial to implement https and I'm happy to hear it will >be done.
Btw. when I asked to provide Ardour for Arch with disabling the phone home option, as Debian and Ubuntu already did, it was not because I had concerns regarding upstream, I've done this, e.g. because activists use Ardour and at the same time TOR browser, without redirecting all traffic trough the onion. I'm pro ever little step to grant more privacy by default, https is one of those steps. Actually ssl is much known to the masses for Heartbleed, not for security and it's kinda always in a broken state. [rocketmouse@archlinux ~]$ arch-audit | grep ssl Package openssl-1.0 is affected by CVE-2017-3736, CVE-2017-3735. Medium risk! Ok, no output for openssl yet, just for openssl-1.0, however taking a look at... [rocketmouse@archlinux ~]$ pactree -r openssl-1.0 [snip] [rocketmouse@archlinux ~]$ pactree -r openssl [snip] ...we should take in consideration that ssl isn't the universal salvation. But again, I agree with you, https is better than no https ;). Regards, Ralf _______________________________________________ Linux-audio-dev mailing list Linux-audio-dev@lists.linuxaudio.org https://lists.linuxaudio.org/listinfo/linux-audio-dev