linux-audio-dev: Re: [LAD] https for linuxaudio.org

From: IOhannes m zmoelnig <zmoelnig@email-addr-hidden>
Date: Tue Nov 21 2017 - 12:39:49 EET

On 2017-11-21 10:49, Jeremy Jongepier wrote:
> Hello David,
>
>> I'm currently taking over a bunch of packages for Arch Linux (mainly
>> pro-audio stuff).
>> Would it be possible to implement letsencrypt for linuxaudio.org and all
>> of its subdomains?
> It's possible for linuxaudio.org but not for all the subdomains. the
> linuxaudio.org server is a shared server that hosts projects of a
> variety of organizations and people. root@email-addr-hidden can't enforce
> the usage of SSL for all users, it's a decision the users have to take.

i'm not sure whether i read this correctly, but you make it sound like
there's technical problems hindering the implementation of https://,
although i think these are merely social (e.g. you don't want to shove
https:// down the throat of just anybody).
it's also slightly unclear what you mean by "users" (intuitively i would
have said that "users" refers to the people who want to access the
website with their browsers; however, as root@email-addr-hidden you might
think of the 'variety of organizations and people' who host projects on
linuxaudio.org as your "users").

also, there's a slight difference between "enforcing the usage of SSL"
(shoving it down the throats of everybody) and "enabling" it.

https:// is a great means against mitm attacks; as ralf has pointed out,
it's less useful as a tool to ensure privacy (use tor for that) or
integrity (use gpg signatures for that). however, it does help raising
the standards for both.
there is practically no reason to *not* use https:// everywhere (well
there's one: CPU power on the server side).

if CPU power is not a problem, i would suggest to:
- enable https:// for *all* VHOSTS that are directly running on the
linuxaudio.org infrastructure
- allow all organizations and people that "run" one of these VHOSTS to
permanently redirect to https:// (if the choose so).

of course people who run their own VHOSTS (if any) need to implement
https:// themselves.

and of course, i'm not associated with anything linuxaudio.org, so i
don't know the exact contract under which you give away VHOSTS.

asdr
IOhannes

_______________________________________________
Linux-audio-dev mailing list
Linux-audio-dev@email-addr-hidden
https://lists.linuxaudio.org/listinfo/linux-audio-dev

application/pgp-signature attachment: OpenPGP digital signature

Received on Tue Nov 21 16:15:01 2017

This archive was generated by hypermail 2.1.8 : Tue Nov 21 2017 - 16:15:01 EET