This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Proposed patch for web site: update most links to HTTPS
- From: Brian Clifton <brian at clifton dot me>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Mon, 25 Apr 2016 20:46:26 +0000
- Subject: Re: Proposed patch for web site: update most links to HTTPS
- Authentication-results: sourceware.org; auth=none
- Authentication-results: cygwin.com; dkim=none (message not signed) header.d=none;cygwin.com; dmarc=none action=none header.from=clifton.me;
- References: <20160425124332 dot GO2345 at dinwoodie dot org> <0D835E9B9CD07F40A48423F80D3B5A702EAF3FBD at USA7109MB022 dot na dot xerox dot net>,<44C9F285-6E2A-4111-BBDE-957A6E4B4581 at solidrocksystems dot com>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
>From: cygwin-owner@cygwin.com <cygwin-owner@cygwin.com> on behalf of Vince Rice <vrice@solidrocksystems.com>
>Sent: Monday, April 25, 2016 12:58 PM
>To: cygwin@cygwin.com
>Subject: Re: Proposed patch for web site: update most links to HTTPS
>
>> On Apr 25, 2016, at 2:33 PM, Nellis, Kenneth <Kenneth.Nellis@xerox.com> wrote:
>>
>> -----Original Message-----
>> From: Adam Dinwoodie
>>> ...
>>> But I agree with Brian: the Cygwin website
>>> should use https everywhere unless there's some good, specific reason
>>> why it's a bad idea...
>>
>> 1. Did Brian say that? I couldn't find it in the thread.
>> 2. I would be interested to hear the rationale for such a statement.
>> Cygwin is open source. What's the point of encrypting?
>
>I’m not sure what being open source has to do with it.
>It should be encrypted for privacy. Frankly, from what we’ve seen in the last couple of years, plain http: should disappear. It should all be https. (And Adam is exactly correct on the performance; it is a non-issue today and has been for years.)
Hi folks,
Sorry for the top reply in my previous posts, I'm new to email lists :)
Forcing HTTPS was the goal I had in mind, for exactly the reason Vince mentions (for security and privacy). Using relative URLs is OK if a rewrite rule is put in place, forcing HTTPS (which is the case). But many of the links updated are external and do not do that.
There are many articles about why you should always use HTTPS. The article I referenced with the patch is:
https://textslashplain.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/
Another from Google can be found here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https?hl=en
Besides security, another important consideration is that search engines prefer HTTPS links (and rank them higher, even if only by a small amount).
In addition to this patch, Apache could be configured better (Cygwin.com scores a B):
https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com
Thanks
Brian
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple