[ https://issues.apache.org/jira/browse/INFRA-16753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941305#comment-16941305 ] Christopher Tubbs commented on INFRA-16753: ------------------------------------------- Projects can very easily do this themselves (until it is required, anyway), by creating a proper {{.htaccess}} file, as in https://github.com/apache/fluo-website/pull/169/files > Project websites are still accessible via http > ---------------------------------------------- > > Key: INFRA-16753 > URL: https://issues.apache.org/jira/browse/INFRA-16753 > Project: Infrastructure > Issue Type: Planned Work > Components: Website > Reporter: Joan Touzet > Priority: Minor > > In a long and protracted discussion with the moderator of announce@apache.org, we were reminded that: > https://www.apache.org/dev/release-distribution#download-links > "All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/ using https:// (TLS)." > However, there is no point in these links being https unless the websites are forcibly redirected from http -> https. > The current Infra setup allows URLs such as: > http://httpd.apache.org/ > which are not forcibly redirected to the https (TLS) version. This makes the https:// links in the project download page untrustable, as they could be altered in transit. > It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly redirect all project and foundation websites to https:// versions from http:// versions. You might want to go so far as to submit apache.org for HSTS preload, as there is no reason we wouldn't want to do so: > https://hstspreload.org/ > The moderator of announce@apache.org with whom I interacted (who has chosen so far to remain nameless) agreed that this is a good idea, and that I should take it up with Infra. -- This message was sent by Atlassian Jira (v8.3.4#803005)