From: Brian Clifton <brian@clifton.me>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Re: Proposed patch for web site: update most links to HTTPS
Date: Mon, 25 Apr 2016 23:18:00 -0000 [thread overview]
Message-ID: <BL2PR03MB2288742F5DC8D8FD5C4D07ADF620@BL2PR03MB228.namprd03.prod.outlook.com> (raw)
In-Reply-To: <44C9F285-6E2A-4111-BBDE-957A6E4B4581@solidrocksystems.com>
>From: cygwin-owner@cygwin.com <cygwin-owner@cygwin.com> on behalf of Vince Rice <vrice@solidrocksystems.com>
>Sent: Monday, April 25, 2016 12:58 PM
>To: cygwin@cygwin.com
>Subject: Re: Proposed patch for web site: update most links to HTTPS
>
>> On Apr 25, 2016, at 2:33 PM, Nellis, Kenneth <Kenneth.Nellis@xerox.com> wrote:
>>
>> -----Original Message-----
>> From: Adam Dinwoodie
>>> ...
>>> But I agree with Brian: the Cygwin website
>>> should use https everywhere unless there's some good, specific reason
>>> why it's a bad idea...
>>
>> 1. Did Brian say that? I couldn't find it in the thread.
>> 2. I would be interested to hear the rationale for such a statement.
>> Cygwin is open source. What's the point of encrypting?
>
>I’m not sure what being open source has to do with it.
>It should be encrypted for privacy. Frankly, from what we’ve seen in the last couple of years, plain http: should disappear. It should all be https. (And Adam is exactly correct on the performance; it is a non-issue today and has been for years.)
Hi folks,
Sorry for the top reply in my previous posts, I'm new to email lists :)
Forcing HTTPS was the goal I had in mind, for exactly the reason Vince mentions (for security and privacy). Using relative URLs is OK if a rewrite rule is put in place, forcing HTTPS (which is the case). But many of the links updated are external and do not do that.
There are many articles about why you should always use HTTPS. The article I referenced with the patch is:
https://textslashplain.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/
Another from Google can be found here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https?hl=en
Besides security, another important consideration is that search engines prefer HTTPS links (and rank them higher, even if only by a small amount).
In addition to this patch, Apache could be configured better (Cygwin.com scores a B):
https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com
Thanks
Brian
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2016-04-25 20:46 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 0:05 Brian Clifton
2016-04-25 0:29 ` Andrey Repin
2016-04-25 5:50 ` Brian Clifton
2016-04-25 6:10 ` Andrey Repin
2016-04-25 13:20 ` Adam Dinwoodie
2016-04-25 17:41 ` Andrey Repin
2016-04-26 10:17 ` Csaba Raduly
2016-04-25 19:59 ` Nellis, Kenneth
2016-04-25 20:46 ` Vince Rice
2016-04-25 23:18 ` Brian Clifton [this message]
2016-04-26 19:19 ` Achim Gratz
2016-04-27 10:18 ` Linda Walsh
2016-05-20 16:36 ` Corinna Vinschen
2016-05-20 20:47 ` Warren Young
2016-05-22 0:30 ` Brian Clifton
2016-05-23 10:35 ` Corinna Vinschen
2016-05-24 12:42 ` Warren Young
2016-05-24 16:59 ` Corinna Vinschen
2016-05-24 18:55 ` Warren Young
2016-06-12 10:13 ` Brian Clifton
2016-06-14 19:20 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BL2PR03MB2288742F5DC8D8FD5C4D07ADF620@BL2PR03MB228.namprd03.prod.outlook.com \
--to=brian@clifton.me \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).