Re: Making www.cpan.org TLS-only
On Fri, 1 Sep 2017, Ask Bjørn Hansen wrote: Date: Fri, 1 Sep 2017 03:10:12 +0200 From: Ask Bjørn Hansen To: cpan-workers@perl.org Subject: Making www.cpan.org TLS-only Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for - any url ending in *.html - any url not in matching some variation of (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ ) If you exclude /MIRRORED.BY, perhaps /indices/mirrors.json should be excluded too ; same stuff, only machine-readable. Does that sound about right? Maybe /src/, too? It sounds arbitrary :-) ; Exceptions cause confusion. Is it too dangerous to just do it and fix what's broken ? You can always revert quickly. Ask Regards, Henk Penning _ Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_ Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \ Budapestlaan 6, 3584CD Utrecht, NLF +31 30 253 4553 \_/ \_/ http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/
Re: Making www.cpan.org TLS-only
Uh, there’s no “SSL” anymore. The newer versions of SSL have been “TLS” since the end of the nineties. https://en.wikipedia.org/wiki/Transport_Layer_Security That being said, the suggested change here is to require HTTPS for www.cpan.org by redirecting all plain-text HTTP requests to the HTTPS version. Ask
Re: Making www.cpan.org TLS-only
On one hand SSL (especially openssl) has received a lot of negative publicity about being insecure, so your proposal has merit. The counter argument is that Perl and CPAN strive to be relevant for ancient, old, young and brand-spanking-new installations. Forcing TLS would likely break some older operating systems' ability to update.
Re: Making www.cpan.org TLS-only
> On Aug 31, 2017, at 19:44, James E Keenan wrote: > > To be honest, I had no idea what 'TLS' meant when I first read this message. > So I can't say anything one way or the other about your proposal. > > I suspect I'm not alone in this. I would encourage you to post in a location > like blogs.perl.org as to what 'TLS' is, so that the census count of the > ignorant can be reduced. I posted on http://log.perl.org/ earlier. Feel free to link to that from blogs.perl.org. Ask
Re: Making www.cpan.org TLS-only
On 08/31/2017 09:10 PM, Ask Bjørn Hansen wrote: Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for - any url ending in *.html - any url not in matching some variation of (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ ) Does that sound about right? Maybe /src/, too? (Also - we will support TLS for www.cpan.org permanently now, so please update URLs where possible and appropriate). To be honest, I had no idea what 'TLS' meant when I first read this message. So I can't say anything one way or the other about your proposal. I suspect I'm not alone in this. I would encourage you to post in a location like blogs.perl.org as to what 'TLS' is, so that the census count of the ignorant can be reduced. Thank you very much. Jim Keenan
Making www.cpan.org TLS-only
Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for - any url ending in *.html - any url not in matching some variation of (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ ) Does that sound about right? Maybe /src/, too? (Also - we will support TLS for www.cpan.org permanently now, so please update URLs where possible and appropriate). Ask