savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

From: Hanno Böck
Subject: Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS
Date: Sun, 9 Oct 2016 11:37:12 +0200 
On Sat, 08 Oct 2016 16:58:28 -0400
Richard Stallman <address@hidden> wrote:

>   > A couple people have raised concerns about Savannah and whether
>   > it meets criteria C6, which states: "Support HTTPS properly and
>   > securely, including the site's certificates."  
> 
> The first one seems to be trying to distort the meaning of those
> words.  To support HTTPS does NOT mean to refuse to support HTTP.

It says to support HTTPS properly and *securely*. The current variant
is not secure, it is vulnerable to SSL Stripping attacks. That's why
HSTS was invented in the first place.

>   > > * Remove the nonsensical login option and make security the
>   > > default.
>   > > * Redirect all http queries to https.
>   > > * Set an HSTS header to avoid accidental http access.  
> 
> Those are not necessary.  There is no need for sites to refuse
> to support HTTP.

Can you explain that?
Leaving the HTTP default open means people's access credentials can be
stolen by an active attacker - even if they think they're using https
because of the misleading option at the login screen.
I don't think leaving people vulnerable to such attacks is ethical.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Attachment: pgpdf3zNjtmmR.pgp
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]