infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joan Touzet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-16753) Project websites are still accessible via http
Date Tue, 21 Aug 2018 05:29:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-16753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586953#comment-16586953
] 

Joan Touzet commented on INFRA-16753:
-------------------------------------

Thanks Chris, I'll be at ACNA late Wednesday and all day Thursday (though I have two talks
to give); if I can help clarify anything in person, let me know.

> Project websites are still accessible via http
> ----------------------------------------------
>
>                 Key: INFRA-16753
>                 URL: https://issues.apache.org/jira/browse/INFRA-16753
>             Project: Infrastructure
>          Issue Type: Planned Work
>          Components: Website
>            Reporter: Joan Touzet
>            Priority: Minor
>
> In a long and protracted discussion with the moderator of announce@apache.org, we were
reminded that:
> https://www.apache.org/dev/release-distribution#download-links
> "All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/
using https:// (TLS)."
> However, there is no point in these links being https unless the websites are forcibly
redirected from http -> https.
> The current Infra setup allows URLs such as:
> http://httpd.apache.org/
> which are not forcibly redirected to the https (TLS) version. This makes the https://
links in the project download page untrustable, as they could be altered in transit.
> It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly
redirect all project and foundation websites to https:// versions from http:// versions. You
might want to go so far as to submit apache.org for HSTS preload, as there is no reason we
wouldn't want to do so:
> https://hstspreload.org/
> The moderator of announce@apache.org with whom I interacted (who has chosen so far to
remain nameless) agreed that this is a good idea, and that I should take it up with Infra.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message