infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jochen Wiedmann (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-16753) Project websites are still accessible via http
Date Tue, 11 Sep 2018 15:28:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-16753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16610793#comment-16610793
] 

Jochen Wiedmann commented on INFRA-16753:
-----------------------------------------

[~cml]: What are these "certificate management issues", please? As far as I know, certificates
are bound to a host name, and not to a protocol.
 

> Project websites are still accessible via http
> ----------------------------------------------
>
>                 Key: INFRA-16753
>                 URL: https://issues.apache.org/jira/browse/INFRA-16753
>             Project: Infrastructure
>          Issue Type: Planned Work
>          Components: Website
>            Reporter: Joan Touzet
>            Priority: Minor
>
> In a long and protracted discussion with the moderator of announce@apache.org, we were
reminded that:
> https://www.apache.org/dev/release-distribution#download-links
> "All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/
using https:// (TLS)."
> However, there is no point in these links being https unless the websites are forcibly
redirected from http -> https.
> The current Infra setup allows URLs such as:
> http://httpd.apache.org/
> which are not forcibly redirected to the https (TLS) version. This makes the https://
links in the project download page untrustable, as they could be altered in transit.
> It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly
redirect all project and foundation websites to https:// versions from http:// versions. You
might want to go so far as to submit apache.org for HSTS preload, as there is no reason we
wouldn't want to do so:
> https://hstspreload.org/
> The moderator of announce@apache.org with whom I interacted (who has chosen so far to
remain nameless) agreed that this is a good idea, and that I should take it up with Infra.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message