infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joan Touzet (JIRA)" <j...@apache.org>
Subject [jira] [Created] (INFRA-16753) Project websites are still accessible via http
Date Thu, 12 Jul 2018 03:30:00 GMT
Joan Touzet created INFRA-16753:
-----------------------------------

             Summary: Project websites are still accessible via http
                 Key: INFRA-16753
                 URL: https://issues.apache.org/jira/browse/INFRA-16753
             Project: Infrastructure
          Issue Type: Task
          Components: Website
            Reporter: Joan Touzet


In a long and protracted discussion with the moderator of announce@apache.org, we were reminded
that:

https://www.apache.org/dev/release-distribution#download-links

"All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/
using https:// (TLS)."

However, there is no point in these links being https unless the websites are forcibly redirected
from http -> https.

The current Infra setup allows URLs such as:

http://httpd.apache.org/

which are not forcibly redirected to the https (TLS) version. This makes the https:// links
in the project download page untrustable, as they could be altered in transit.

It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly redirect
all project and foundation websites to https:// versions from http:// versions. You might
want to go so far as to submit apache.org for HSTS preload, as there is no reason we wouldn't
want to do so:

https://hstspreload.org/

The moderator of announce@apache.org with whom I interacted (who has chosen so far to remain
nameless) agreed that this is a good idea, and that I should take it up with Infra.





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message