[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] redirect http to https?
|
From: |
Jonathon Weiss |
|
Subject: |
Re: [Sks-devel] redirect http to https? |
|
Date: |
Thu, 21 Aug 2014 16:53:48 -0400 |
Just for the record, but question was prompted by a user who sent mail to the
contact point for pgp.mit.edu, and not by anything I saw on this list.
Jonathon
Matthias Schreiber <address@hidden> wrote:
> As this is obviously referring to my post, I would like to clarify a
> few things in order to avoid further confusion/misunderstandings:
>
> I never suggested to redirect http connections to https (you and
> Kristian already pointed the problems on the client-side out) and I
> never pushed people towards encryption.
>
> What I did was to setup my key server in order to offer hkps
> connections. I saw the other ongoing post related to protocols and
> cipher suites and wanted to learn how the others in the hkps pool
> realized their web server configurations. I used the mentioned web
> tool and saw that a smaller part of that pool had insecure and/or weak
> settings related to SSL. I posted a rough summary in order to help to
> improve or harden (or whatever you might say) the hkps service on
> these servers. As I'm very limited with regard to programming skills
> etc. I saw this as a chance to give back at least something small to
> the community. From my point of view, if a certain pool of key servers
> wants to offer hkps then it would be preferable if they would do it
> with "state-of-the-art" implementations, protocols and cipher suites.
> That was the intention of my post. Nothing more, nothing less.
>
> And regarding to the upcoming question related to thread models etc.,
> Phil was so kind to write a comprehensive post worth reading, which
> increased (I guess not only) my understanding of the topic.
>
> Thank you for your time,
> Matthias
>
>
>
> Am 19.08.2014 23:39, schrieb Jonathon Weiss:
> >
> > So, a user suggested that we should redirect all http connections
> > to https. The user was clearly confused in a number of ways about
> > how the keyservers worked, and his specific examples of why it was
> > important were incorrect. That said, there's clearly at least a
> > little value in pushing people toward encryption.
> >
> > So, I was wondering. Has anyone done this? Are there concerns
> > about (non-browser) clients using hkp but not supporting re-directs
> > or hkps, who would then be unable to use our server? I suppose I
> > could consider leaving port 11371 as is, but force re-directs on
> > port 80. That would probably satisfy the clueless masses on the
> > internet, but would it eliminate any risk of breakage?
> >
> > Jonathon
> >
> > Jonathon Weiss <address@hidden> MIT/IS&T/O&I Server Operations
> >
> > _______________________________________________ Sks-devel mailing
> > list address@hidden
> > https://lists.nongnu.org/mailman/listinfo/sks-devel
> >