> In the case of www.openbsd.org, using HTTPS isn't so much about > privacy as it is about integrity. Yes, signify(1) is a thing, but > using HTTPS in addition to it would make release and package > downloads more difficult to tamper with.
Well packages usually come from mirrors which I know from before signify most don't offer https. All you would achieve now is to make it more likely that people couldn't patch security holes in their systems due to mirrors going down. > Another attack currently possible against www.openbsd.org is changing > the https://openbsdstore.com links to http://openbsdstore.com, and > running sslstrip on that. Or the PayPal links... So use HSTS, nope because now users don't bother checking as they have a false sense of security and when they find a site that doesn't use HSTS they miss the downgrade. Also users still need to check the domain is correct so checking if the bar is bright green like with the xombrero browser that does things properly mutes any point. > (For the record, I highly approve of many https efforts, but think > that https everywhere would be an utter disaster.) Here hear The cvs page fingerprint page could be https enabled, however you can use googles cache over https, also buy a CD to help the project greatly would do far more for world security than TLS everywhere and even look at mailing list archives over https as a web of trust. ISPs snooping is a compelling reason but not enough for me to adopt HSTS, a VPN makes more sense. I changed my ISP instead though ;). -- KISSIS - Keep It Simple So It's Securable
