Re: [dev] suckless.org TLS / HTTPS support

From: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
Date: Thu, 31 Aug 2017 15:36:03 +0200

On Thu, Aug 31, 2017 at 03:07:11PM +0200, Anselm R Garbe wrote:
> On 31 August 2017 at 14:45, hiro <23hiro_AT_gmail.com> wrote:
> > Now we have something much worse: letsencrypt and this completely
> > insecure http redirection snake-oil.
> >
> > With letsencrypt you now have to put extra work (can't keep track of
> > all the individual subdomains either, wildcards are suddenly a
> > security risk?!), and nobody bothers to quanitfy the amount of gained
> > security.
>
> I don't really mind letsencrypt (actually I wouldn't mind to make a
> deal with HonestAchmed or his cousin -- we can all trust them, because
> the uncle of a friend is his step brother and knows the family very
> well ;)), but I'm also a sceptic of HSTS.
>

Can you explain why you are a sceptic of HSTS?

> Where do we really have a downgrade risk? In the content suckless
> offers, this can be solved by using relative or non-protocol hrefs
> everywhere. I wouldn't mind if existing external links are not
> redirected, during time external references will adopt slowly.
>
> BR,
> Anselm
>

There is no issue (anymore) because I fixed the main template.
An example is the logo.svg had a direct http:// link. This gives a
"mixed content" warning in your browser. A MITM can abuse plain-text
traffic, this is not possible by specifying a HSTS header. Ofcourse
the person has to first make a single HTTPS request with the HSTS header
set. After that it works (until the expiration date, which is set to
1 year atm).

-- 
Kind regards,
Hiltjo
Received on Thu Aug 31 2017 - 15:36:03 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 31 2017 - 15:48:21 CEST