Hello,
I noticed that the PGP key used for signing the Debian release packages
recently expired. I went to download the new one and noticed that nginx.org
wasn't using HTTPS by default. Manually entering a https URL works as
expected, although some pages have hard coded http links in them.
Is there a reason that the website isn't using HTTPS and STS / HPKP? It
would help mitigate potential MITM attacks especially on precompiled
binaries and PGP key downloads.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx