Force https for website?

Kevin Stange kstange at
Mon Apr 1 18:40:08 EDT 2013

On 04/01/2013 02:50 AM, Mark Doliner wrote:
> How do people feel about redirecting from http to https for all URLs on
> <>?
> My reasons for wanting to do this are:
> - Secure interactions with the protocol documentation wiki to prevent
> password stealing and session hijacking.
> - Reduce the chances of a MITM sending altered content to a user. Â This
> is extremely unlikely, because who in their right mind would want to
> mess with this content...? Â I mean, who cares?

This sounds fine.  I'm in favor of having all pidgin resources that we 
want verifiable on SSL as long as we have the CPU power.  A lot of deal 
has been made about serving our downloads from SSL.  I am fine with this 
and Steadfast is on board if we want to serve downloads from the server 
(nicobar) to accomplish this.

> Downsides:
> - We'll have to keep buying SSL certs.

We can continue to get SSL certificates startcom for free as long as we 
don't need EV certs or wildcards.  We can get pretty much as many as we 
want.  The only concern is that normally each cert requires a separate 
IP unless we want to assume all the browsers we see support passing the 
SSL vhost information.

> - Little bit slower to load, especially for users with high latency to
> our server, (TLS negotiation requires  more round trips).

I am not concerned about this.


More information about the Discussion mailing list