Force https for imfreedom.org website?
kstange at pidgin.im
Mon Apr 1 18:40:08 EDT 2013
On 04/01/2013 02:50 AM, Mark Doliner wrote:
> How do people feel about redirecting from http to https for all URLs on
> imfreedom.org <http://imfreedom.org>?
> My reasons for wanting to do this are:
> - Secure interactions with the protocol documentation wiki to prevent
> password stealing and session hijacking.
> - Reduce the chances of a MITM sending altered content to a user. Â This
> is extremely unlikely, because who in their right mind would want to
> mess with this content...? Â I mean, who cares?
This sounds fine. I'm in favor of having all pidgin resources that we
want verifiable on SSL as long as we have the CPU power. A lot of deal
has been made about serving our downloads from SSL. I am fine with this
and Steadfast is on board if we want to serve downloads from the server
(nicobar) to accomplish this.
> - We'll have to keep buying SSL certs.
We can continue to get SSL certificates startcom for free as long as we
don't need EV certs or wildcards. We can get pretty much as many as we
want. The only concern is that normally each cert requires a separate
IP unless we want to assume all the browsers we see support passing the
SSL vhost information.
> - Little bit slower to load, especially for users with high latency to
> our server, (TLS negotiation requires Â more round trips).
I am not concerned about this.
More information about the Discussion