Re: No HTTPS on nginx.org by default

2016-08-27 Thread B.R.
No one is and nor anyone has to be. Maybe less peremptory abrupt answers the next time someone points out a potential problem and no hard words about despotism when views are shared might help? :o) Thanks for having taken the necessary time on this. Keep up the good work! No hard feelings. --- *B.

Re: No HTTPS on nginx.org by default

2016-08-25 Thread Maxim Konovalov
On 8/24/16 10:59 PM, B.R. wrote: > HTTPS was supported, but internal links were systematically served > over HTTP. Right -- this happens because long time nginx.org was HTTP only. I agree, that here are still some leftovers that should be fixed. I am sorry that we are not perfect. > Without cons

Re: No HTTPS on nginx.org by default

2016-08-24 Thread B.R.
HTTPS was supported, but internal links were systematically served over HTTP. Without considering any religion, this problem is now fixed. As per your political decision on serving content (un)encrypted, it is *in fine* your choice and it has been noted. Power users already knew about HTTPS anyway

Re: No HTTPS on nginx.org by default

2016-08-24 Thread Maxim Konovalov
On 8/22/16 8:30 PM, Maxim Konovalov wrote: > On 8/22/16 8:23 PM, Richard Stanway wrote: >> See https://nginx.org/en/linux_packages.html#stable >> >> PGP key links are hard coded to http URLs: >> >> >> For Debian/Ubuntu, in order to authenticate the nginx repository >> signature >> and to eliminate

Re: No HTTPS on nginx.org by default

2016-08-23 Thread Daniël Mostertman
On 2016-08-23 15:31, Maxim Konovalov wrote: Let me repeat: nginx.org supports HTTPS. I don't think it adds any measurable security here but it's matter of religion but you can use it for free if you think it does. +1 Although it would be chique if nginx.org would advertise a HSTS-header so tha

Re: No HTTPS on nginx.org by default

2016-08-23 Thread Maxim Konovalov
On 8/23/16 4:15 PM, B.R. wrote: > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov > mailto:ma...@nginx.com>> wrote: > On 8/22/16 7:41 PM, B.R. wrote: > > In 2016, stating that content served over HTTP is 'secure' blows my > > mind and kills your credibility. > > > Who d

Re: No HTTPS on nginx.org by default

2016-08-23 Thread B.R.
> > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov wrote: > On 8/22/16 7:41 PM, B.R. wrote: > > In 2016, stating that content served over HTTP is 'secure' blows my > > mind and kills your credibility. > > > Who did that? What's his name? > ​Someone named 'Maxim Konovalov'​. Sounds familiar? Se

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 8:23 PM, Richard Stanway wrote: > See https://nginx.org/en/linux_packages.html#stable > > PGP key links are hard coded to http URLs: > > > For Debian/Ubuntu, in order to authenticate the nginx repository > signature > and to eliminate warnings about missing PGP key during installation

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
See https://nginx.org/en/linux_packages.html#stable PGP key links are hard coded to http URLs: For Debian/Ubuntu, in order to authenticate the nginx repository signature and to eliminate warnings about missing PGP key during installation of the nginx package, it is necessary to add the key used

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 8:15 PM, Richard Stanway wrote: > Could you at least fix the https download page, so it doesn't > directly link to a HTTP PGP key? > It works correctly: https://nginx.org/en/download.html > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov > wrote: > > On 8

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
Could you at least fix the https download page, so it doesn't directly link to a HTTP PGP key? On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov wrote: > On 8/22/16 7:41 PM, B.R. wrote: > > The problem is, if the GPG key is served through HTTP, there is no > > way to authenticate it, since it cou

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 7:41 PM, B.R. wrote: > The problem is, if the GPG key is served through HTTP, there is no > way to authenticate it, since it could be compromised through MITM. > I am very surprised to see myself being qualified as 'HTTPS despot' > when I just spot the obvious. > But it does not -- our

Re: No HTTPS on nginx.org by default

2016-08-22 Thread B.R.
The problem is, if the GPG key is served through HTTP, there is no way to authenticate it, since it could be compromised through MITM. I am very surprised to see myself being qualified as 'HTTPS despot' when I just spot the obvious. Compromised repository + GPG key is one very powerful way of impe

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Dewangga Bachrul Alam
Hello! On 08/22/2016 10:58 PM, rai...@ultra-secure.de wrote: > > nginx doesn't provide an auto-update mechanism that stupidly downloads > and accepts all and everything somebody makes available under some > spoofed address. You can use PGP key[1] to verified the binary was correct or "injected"

Re: No HTTPS on nginx.org by default

2016-08-22 Thread rainer
Am 2016-08-22 17:44, schrieb Maxim Konovalov: On 8/22/16 6:40 PM, Richard Stanway wrote: 1. You could provide insecure.nginx.org mirror for such people, make nginx.org secure by default. No, thanks. It is secure by default and HTTPS by default do

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Maxim Konovalov
On 8/22/16 6:40 PM, Richard Stanway wrote: > 1. You could provide insecure.nginx.org > mirror for such people, make nginx.org secure by > default. > No, thanks. It is secure by default and HTTPS by default doesn't add any value. > 2. Modern server C

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Richard Stanway
1. You could provide insecure.nginx.org mirror for such people, make nginx.org secure by default. 2. Modern server CPUs are already extremely energy efficient, TLS adds negligible load. See https://istlsfastyet.com/ On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev wrote: > On Sunday 21

Re: No HTTPS on nginx.org by default

2016-08-22 Thread Valentin V. Bartenev
On Sunday 21 August 2016 15:56:09 B.R. wrote: > It is surprising, since I remember Ilya Grigorik made a talk about TLS > during the first ever nginx conf in 2014: > https://www.youtube.com/watch?v=iHxD-G0YjiU > https://istlsfastyet.com/ It's just Ilya's opinion. You are free to agree or not. >

Re: No HTTPS on nginx.org by default

2016-08-21 Thread B.R.
It is surprising, since I remember Ilya Grigorik made a talk about TLS during the first ever nginx conf in 2014: https://www.youtube.com/watch?v=iHxD-G0YjiU https://istlsfastyet.com/ Thus, there is no reason for not going full-HTTPS in delivering Web pages. --- *B. R.* On Fri, Aug 19, 2016 at 9:2

No HTTPS on nginx.org by default

2016-08-19 Thread Richard Stanway
Hello, I noticed that the PGP key used for signing the Debian release packages recently expired. I went to download the new one and noticed that nginx.org wasn't using HTTPS by default. Manually entering a https URL works as expected, although some pages have hard coded http links in them. Is ther