1. 16
  1.  

  2. 1

    Sorry, but mandatory https for a news site is just a bad idea.

    If I don’t have https, why should I be denied access from getting OpenBSD news at the source?

    PHK has a great summary of why mandatory encryption is not the way to go. https://lobste.rs/s/xbjm1u/http_2_0_-_the_ietf_is_phoning_it_in

    1. 3

      PHK has written in the latest edition of Communications of the ACM (CACM) about more encryption means less privacy, which is part of the argument that mandatory https is not necessarily the solution.

      1. 3

        Link I can read: https://queue.acm.org/detail.cfm?id=2904894

        Similar previous article: http://queue.acm.org/detail.cfm?id=2508864

        I’m not sure this is relevant to undeadlys decision to go https only. It’s an argument that one should consider political and legal ramifications (agreed). But what’s the argument that undeadly has failed to do so?

      2. 2

        Who doesn’t “have https”?

        1. 1
          1. 1

            Reading that, I see that the author is specifically against using https. I don’t see any explanation as to why. I poked around in the adjacent files but didn’t see anything else about it.

            That email is from 2010… I don’t think anything has changed since then, except the success of Let’s Encrypt, but without knowing why this writer holds that opinion, it’s really hard to comment on it.

            1. 1

              der Mouse probably still has a couple of systems built in the 90s.

              When was TLSv1.0 introduced in NetBSD and Solaris? What about TLSv1.1?

              Can you explain why you want to deny him the pleasure of reading undeadly?

              1. 3

                Because downgrade attacks are real and if you’re not going to be secure all the time that’s not much different than being secure none of the time.

                1. 1

                  If that’s a true concern, have a setting in user profiles to enable HSTS for X days, set by default for logged-in users, unless they specifically unset it. Problem solved. No need to disable http:// nor issue any permanent redirects for everyone regardless of conditions.

                2. 2

                  I don’t think I expressed any opinion of that nature.