> On Sep 5, 2017, at 11:22 , Leo Lapworth wrote:
>
> Would (at least for the short term) just adding the HSTS header to every
> request be the best solution? Then browsers get told to switch to secure and
> other clients can do either.
HSTS only works on TLS requests, so you have to get the
On 5 September 2017 at 09:31, Leon Timmermans wrote:
> On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen wrote:
>
>> > Among things that should allow non-TLS: I would include /src/. Also
>> the top-level RECENT files, things in /indices/.
>>
>> +1.
>>
>> Maybe it makes more sense to reverse the
On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen wrote:
> > Among things that should allow non-TLS: I would include /src/. Also the
> top-level RECENT files, things in /indices/.
>
> +1.
>
> Maybe it makes more sense to reverse the logic and just targeting whatever
> the most popular[1] web page
> On Sep 4, 2017, at 11:20, David Golden wrote:
>
> Are those "OR" conditions? "*.html" OR not in /authors/, etc/?
Yeah, that was the idea. Basically make “things a web browser typically visits”
have forced TLS (because humans), but have it be optional for things computers
typically use. Ho
On Thu, Aug 31, 2017 at 9:10 PM, Ask Bjørn Hansen wrote:
> Hi everyone,
>
> We’re considering how/how-much we can make www.cpan.org TLS-only.
> http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
>
> I expect that we can’t make the whole site TLS-only without breaking some
> CPAN clients, so
On Fri, Sep 01, 2017 at 12:48:02PM -0400, Olaf Alders wrote:
> As an (interesting?) aside, the Net::HTTP test suite just broke because of
> the 301 from http://www.cpan.org to https://www.cpan.org
> https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made
> some assumptions
On Aug 31, 2017, at 9:10 PM, Ask Bjørn Hansen wrote:
> Hi everyone,
>
> We’re considering how/how-much we can make www.cpan.org TLS-only.
> http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
>
> I expect that we can’t make the whole site TLS-only without breaking some
> CPAN clients, so
> On Sep 1, 2017, at 3:49 AM, Ask Bjørn Hansen wrote:
>
> The Google change was the impetus to get around to it.
>
> Clients should use TLS to request content. It limits the trust for
> downloading CPAN content roughly to:
>
> - The author
> - PAUSE system maintainers
> - perl.org infrastruct
> downloading CPAN content roughly to:
> internet connection to not muck with the code you receive.
>
> Obviously the real fix here is that clients need to request via TLS (since I
> doubt any clients other than regular browsers support HSTS).
I was under the impression that any "code" ( eg: conte
The Google change was the impetus to get around to it.
Clients should use TLS to request content. It limits the trust for downloading
CPAN content roughly to:
- The author
- PAUSE system maintainers
- perl.org infrastructure maintainers
- Fastly
- Global CA infrastructure
Without TLS you basica
On 1 September 2017 at 13:10, Ask Bjørn Hansen wrote:
> Hi everyone,
>
> We’re considering how/how-much we can make www.cpan.org TLS-only.
> http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
>
> I expect that we can’t make the whole site TLS-only without breaking some
> CPAN clients, so th
On Freitag, 1. September 2017 08:50:35 CEST Henk P. Penning wrote:
>It sounds arbitrary :-) ; Exceptions cause confusion.
>Is it too dangerous to just do it and fix what's broken ?
>You can always revert quickly.
If there have to be exceptions, basing them on the UserAgent would be mo
On Fri, 1 Sep 2017, Ask Bjørn Hansen wrote:
Date: Fri, 1 Sep 2017 03:10:12 +0200
From: Ask Bjørn Hansen
To: cpan-workers@perl.org
Subject: Making www.cpan.org TLS-only
Hi everyone,
We’re considering how/how-much we can make www.cpan.org TLS-only.
http://log.perl.org/2017/08/tls-only-for
Uh, there’s no “SSL” anymore. The newer versions of SSL have been “TLS” since
the end of the nineties. https://en.wikipedia.org/wiki/Transport_Layer_Security
That being said, the suggested change here is to require HTTPS for www.cpan.org
by redirecting all plain-text HTTP requests to the HTTPS
On one hand SSL (especially openssl) has received a lot of negative
publicity about being insecure, so your proposal has merit.
The counter argument is that Perl and CPAN strive to be relevant for
ancient, old, young and brand-spanking-new installations. Forcing TLS would
likely break some older
> On Aug 31, 2017, at 19:44, James E Keenan wrote:
>
> To be honest, I had no idea what 'TLS' meant when I first read this message.
> So I can't say anything one way or the other about your proposal.
>
> I suspect I'm not alone in this. I would encourage you to post in a location
> like bl
On 08/31/2017 09:10 PM, Ask Bjørn Hansen wrote:
Hi everyone,
We’re considering how/how-much we can make www.cpan.org TLS-only.
http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
I expect that we can’t make the whole site TLS-only without breaking some CPAN
clients, so the conservative ve
Hi everyone,
We’re considering how/how-much we can make www.cpan.org TLS-only.
http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
I expect that we can’t make the whole site TLS-only without breaking some CPAN
clients, so the conservative version is to force TLS for
- any url ending in *.h
18 matches
Mail list logo
