Em maio 10, 2016 1:29 Bob Beck escreveu:
And statements like this - and people that think this is a good idea, are why I spoof DNS answers in bars and coffee shops, and why I don't read misc@. This is never a good idea, unless you want the connections intercepted and MITM'ed.
I don't see the issue with this Bob. Of course it means the first access is the one with very high value. But as it is with HPKP, and as it is with SSH itself. I see that you guys are working on having openbsd included in HTTPS Everywhere and all. But it still leaves it up to the user. If you put HSTS on top of a one time redirect, the client will never again access the site using http. It is a concession. One that you don't seem keen to make. And, on a second thought, I only care for the anon csv page where you have the ssh host keys. The rest of the site can be left unencrypted. Until every UA is changed to first try TLS and *only then* fall back to clear text http, this kind of measure has its uses. Cheers, Giancarlo Razzolini
