infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Lambertus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-16753) Project websites are still accessible via http
Date Tue, 21 Aug 2018 05:20:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-16753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586945#comment-16586945
] 

Chris Lambertus commented on INFRA-16753:
-----------------------------------------

While I don't disagree that this would be a benefit, there are a variety of legacy technical
issues and certificate management issues which make this easier said than done. It is something
we plan to address in the near term, however, and I've flagged it for infra discussion at
ACNA. It has come up several times in our weekly meetings, and we are considering a variety
of approaches to provide this seamlessly and without undue technical burden.


> Project websites are still accessible via http
> ----------------------------------------------
>
>                 Key: INFRA-16753
>                 URL: https://issues.apache.org/jira/browse/INFRA-16753
>             Project: Infrastructure
>          Issue Type: Planned Work
>          Components: Website
>            Reporter: Joan Touzet
>            Priority: Minor
>
> In a long and protracted discussion with the moderator of announce@apache.org, we were
reminded that:
> https://www.apache.org/dev/release-distribution#download-links
> "All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/
using https:// (TLS)."
> However, there is no point in these links being https unless the websites are forcibly
redirected from http -> https.
> The current Infra setup allows URLs such as:
> http://httpd.apache.org/
> which are not forcibly redirected to the https (TLS) version. This makes the https://
links in the project download page untrustable, as they could be altered in transit.
> It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly
redirect all project and foundation websites to https:// versions from http:// versions. You
might want to go so far as to submit apache.org for HSTS preload, as there is no reason we
wouldn't want to do so:
> https://hstspreload.org/
> The moderator of announce@apache.org with whom I interacted (who has chosen so far to
remain nameless) agreed that this is a good idea, and that I should take it up with Infra.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message