From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 51865 invoked by alias); 25 Apr 2016 12:43:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 51724 invoked by uid 89); 25 Apr 2016 12:43:50 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=adam, canonical, HTTPS, captured X-HELO: mail-wm0-f65.google.com Received: from mail-wm0-f65.google.com (HELO mail-wm0-f65.google.com) (74.125.82.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Mon, 25 Apr 2016 12:43:39 +0000 Received: by mail-wm0-f65.google.com with SMTP id n3so24620440wmn.1 for ; Mon, 25 Apr 2016 05:43:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=rrRZjkWtc4xkNM8EqteDcUdJZ4bNMU53q4LuYHOKidw=; b=bGfMPH42AkVb6vWnctq8HmYKVA0ShFCndmjGJ0eM+ox1n5RkoVe4C2SfhNGQAtnOrk YwWgZA9oCHwS+i6LDJpyHILtyNLz342vqZrUzeBeFbZfg0YqvbhK7ZQ41LT/SjyMpI6k FEj9Q8EMe//bj0K4we8ED8Kv7QOFU8RQieA2sKJOXMeU0mJmpmz1KyH7O8lFYVuYuel3 iVT0VorEQFvsov+FwT8MOOB/kg2h4CjLyfDQHDY3XTs49QhX5+JQnP1j2A/DKrzyIRg9 ELnby3WVTerY+7MgzG+z+dbN4r/jHc2+ge3oo5sLZVRwAuoDISwIi5iVkPb+zYUmsw9M FwRA== X-Gm-Message-State: AOPr4FUuTxQUgJV+DrHtJ2PRntojcE8j8bPciJukV/KMRPAt018ndSHaZOvxqwnn2Ox70g== X-Received: by 10.28.171.8 with SMTP id u8mr11489457wme.97.1461588216852; Mon, 25 Apr 2016 05:43:36 -0700 (PDT) Received: from dinwoodie.org ([2001:ba8:0:1c0::9:1]) by smtp.gmail.com with ESMTPSA id v143sm18544355wmv.4.2016.04.25.05.43.35 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 25 Apr 2016 05:43:35 -0700 (PDT) Date: Mon, 25 Apr 2016 13:20:00 -0000 From: Adam Dinwoodie To: cygwin@cygwin.com Subject: Re: Proposed patch for web site: update most links to HTTPS Message-ID: <20160425124332.GO2345@dinwoodie.org> References: <1074467721.20160425030008@yandex.ru> <48360918.20160425084918@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48360918.20160425084918@yandex.ru> User-Agent: Mutt/1.5.21 (2010-09-15) X-IsSubscribed: yes X-SW-Source: 2016-04/txt/msg00592.txt.bz2 On Mon, Apr 25, 2016 at 08:49:18AM +0300, Andrey Repin wrote: > Greetings, Brian Clifton! > > -----Original Message----- > > From: Andrey Repin > >> Greetings, Brian Clifton! > > > >>> Hi folks, > > > >>> I have a proposed change for the web site. This patch (see below) will > >>> update most of the urls to HTTPS. In many cases there was a redirect; > >>> for those I captured the new canonical address. > > > >> Please no. > > > > Can you please elaborate on why? I'm confused on why you prefer that Cygwin > > links users to non-secure versions of pages? (which in many cases will be > > redirected anyways). > > I prefer it not forcing either, and only force secure connection, when absolutely > necessary. I.e. when downloading the setup binary. > > > Links which ONLY work on http *have not* been changed and there are no other > > changes in this patch. > > Secure connections been painfully slow and just annoying, when all you need is > a quick glance at the documentation. > All internal links must be relative to the domain and not force either > protocol or the domain name. Secure connections historically had a high overhead, sure, but that's very rarely the case nowadays. Certainly my experince of loading the Cygwin web page is that there's no perceptible difference between the http and https versions. Adam Langley (a senior engineer at Google) wrote an article back in 2010 about how TLS is now computationally cheap[0]; it's only gotten cheaper since. [0]: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html See also https://istlsfastyet.com/, which has a lot of discussion about the impacts of TLS, but the short answer is "yes". At the very least, the Cygwin website should be using protocol- independent links, meaning users accessing the website using https aren't switched to http when they click on a link (i.e. link to "//cygwin.com/path/to/page" rather than "https://cygwin.com/..." or "http://cygwin.com/..."). But I agree with Brian: the Cygwin website should use https everywhere unless there's some good, specific reason why it's a bad idea. And "TLS is slow" hasn't been a good reason for years. Adam -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple