On 2022-04-28 07:30, Bill Cole wrote:
I see no reason to make HTTPS mandatory for mirrors at this point. It
does mean an extra layer that can break and the impersonation attacks
that it enables would be extremely complicated to mount, so may be
entirely theoretical. I would rather keep unencrypted mirrors for the
sake of availability than drive away helpful collaborators just because
they haven't had a free hour recently to make HTTPS work.
I don't care either way, but it is literally more work for me to
maintain a HTTP mirror than not.
Why? My web server configuration all starts with a default "HTTP? 301
redirect to HTTPS" rule, so getting HTTP content to bypass that is
literally more lines of configuration, and extra testing when upgrading
software or moving stuff around.
It isn't a big deal. The "work" is already done, and I mirror torbrowser
and sometimes tails as well and there is a stronger use-case for
maintaining HTTP indefinitely there, so adding one more hostname to the
"okay, serve it with http too" list isn't even on my radar of things to
care about.
I do care about encryption in general though.
HTTPS is an inconsequential amount of overhead and has been for a decade
or so (from my perspective). And I have trouble imagining any machine
that is simultaneously powerful enough to run SpamAssassin and also
finds the overhead of HTTPS as consequential.
As noted elsewhere in the thread, I'm one of the mirrors that offers
HTTPS already, this is because it is already part of my provisioning
system when I add a site and like allowing HTTP at all, it would be more
work to carve out an exception.
I have no preference or vote in either direction here specifically, but
for my part I consider HTTP legacy and am a strong believer in replacing
HTTP services with a static 301 response and calling it a day.