On 8/22/16 8:15 PM, Richard Stanway wrote:
> Could you at least fix the https download page, so it doesn't
> directly link to a HTTP PGP key?
>
It works correctly: https://nginx.org/en/download.html

> On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <maxim@nginx.com
> <mailto:maxim@nginx.com>> wrote:
>
> On 8/22/16 7:41 PM, B.R. wrote:
> > The problem is, if the GPG key is served through HTTP, there is no
> > way to authenticate it, since it could be compromised through
> MITM.
> > I am very surprised to see myself being qualified as 'HTTPS
> despot'
> > when I just spot the obvious.
> >
> But it does not -- our PGP key distributed through a number of
> channels, including HTTPS. Problem solved, case closed?
>
> > Compromised repository + GPG key is one very powerful way of
> > impersonating another product.
> >
> > TLS provides both encryption and authentication, based on the
> > initial shared circle of trust.
> > Thus you certify the GPG key is authentic and thus, if it verifies
> > the binaries, you ensure the delivered package are produced by the
> > owner of the key, in the end the real author.
> >
> > In 2016, stating that content served over HTTP is 'secure'
> blows my
> > mind and kills your credibility.
> >
> Who did that? What's his name?
>
> > ​Now, as Richard pointed out, if you truly believe you need to
> > provide HTTP-only, you can. It would be better if it was in a very
> > visible fashion, though​.
> > Where was despotism, again?
>
> nginx.org http://nginx.org already has HTTPS therefore it is
> not HTTP-only.
>
> > ---
> > *B. R.*
> >
> > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway
> > <r1ch+nginx@teamliquid.net <mailto:r1ch%2Bnginx@teamliquid.net>
> <mailto:r1ch+nginx@teamliquid.net
> <mailto:r1ch%2Bnginx@teamliquid.net>>> wrote:
> >
> > 1. You could provide insecure.nginx.org http://insecure.nginx.org
> > http://insecure.nginx.org mirror for such people, make
> > nginx.org http://nginx.org http://nginx.org secure by
> default.
> >
> > 2. Modern server CPUs are already extremely energy efficient,
> > TLS adds negligible load. See https://istlsfastyet.com/
> >
> >
> >
> > On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev
> > <vbart@nginx.com <mailto:vbart@nginx.com> <mailto:vbart@nginx.com
> <mailto:vbart@nginx.com>>> wrote:
> >
> > On Sunday 21 August 2016 15:56:09 B.R. wrote:
> > > It is surprising, since I remember Ilya Grigorik made a talk about TLS
> > > during the first ever nginx conf in 2014:
> > > https://www.youtube.com/watch?v=iHxD-G0YjiU
> https://www.youtube.com/watch?v=iHxD-G0YjiU
> > <https://www.youtube.com/watch?v=iHxD-G0YjiU
> https://www.youtube.com/watch?v=iHxD-G0YjiU>
> > > https://istlsfastyet.com/
> >
> > It's just Ilya's opinion. You are free to agree or not.
> >
> >
> > >
> > > Thus, there is no reason for not going full-HTTPS in delivering Web pages.
> >
> > There are at least two reasons to not use HTTPS:
> >
> > 1. Provide easy access to information for people, who can't
> > use encryption
> > by political, legal, or technical reasons.
> >
> > 2. Don't waste resources on encryption, and thus save our
> > planet.
> >
> > Please, don't be a TLS despot and let people to have a
> > choice to use encryption
> > or not.
> >
> > I think the situation when I can't download new version of
> > OpenSSL using old
> > version of OpenSSL is ridiculous, but they have configured
> > openssl.org http://openssl.org http://openssl.org
> that way.
> > How I supposed to use Internet then?
> >
> > wbr, Valentin V. Bartenev
> >
>
>
> --
> Maxim Konovalov
> Join us at nginx.conf, Sept. 7-9, Austin, TX:
> http://nginx.com/nginxconf
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>


--
Maxim Konovalov
Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx