[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] redirect http to https?
|
From: |
Matthias Schreiber |
|
Subject: |
Re: [Sks-devel] redirect http to https? |
|
Date: |
Thu, 21 Aug 2014 00:19:17 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Icedove/24.5.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
As this is obviously referring to my post, I would like to clarify a
few things in order to avoid further confusion/misunderstandings:
I never suggested to redirect http connections to https (you and
Kristian already pointed the problems on the client-side out) and I
never pushed people towards encryption.
What I did was to setup my key server in order to offer hkps
connections. I saw the other ongoing post related to protocols and
cipher suites and wanted to learn how the others in the hkps pool
realized their web server configurations. I used the mentioned web
tool and saw that a smaller part of that pool had insecure and/or weak
settings related to SSL. I posted a rough summary in order to help to
improve or harden (or whatever you might say) the hkps service on
these servers. As I'm very limited with regard to programming skills
etc. I saw this as a chance to give back at least something small to
the community. From my point of view, if a certain pool of key servers
wants to offer hkps then it would be preferable if they would do it
with "state-of-the-art" implementations, protocols and cipher suites.
That was the intention of my post. Nothing more, nothing less.
And regarding to the upcoming question related to thread models etc.,
Phil was so kind to write a comprehensive post worth reading, which
increased (I guess not only) my understanding of the topic.
Thank you for your time,
Matthias
Am 19.08.2014 23:39, schrieb Jonathon Weiss:
>
> So, a user suggested that we should redirect all http connections
> to https. The user was clearly confused in a number of ways about
> how the keyservers worked, and his specific examples of why it was
> important were incorrect. That said, there's clearly at least a
> little value in pushing people toward encryption.
>
> So, I was wondering. Has anyone done this? Are there concerns
> about (non-browser) clients using hkp but not supporting re-directs
> or hkps, who would then be unable to use our server? I suppose I
> could consider leaving port 11371 as is, but force re-directs on
> port 80. That would probably satisfy the clueless masses on the
> internet, but would it eliminate any risk of breakage?
>
> Jonathon
>
> Jonathon Weiss <address@hidden> MIT/IS&T/O&I Server Operations
>
> _______________________________________________ Sks-devel mailing
> list address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlP1Ht8ACgkQk8eZk3b5umCHugD+K2+XkUAvrujorowLjq2g6sAX
i4AFf1Sx4R0eyIjiK4oA/jqtil8hWbODqwGgqn2pgjXy3QcRSO01KhPifYalDJ01
=7nHY
-----END PGP SIGNATURE-----