On 1 September 2017 at 13:10, Ask Bjørn Hansen <a...@perl.org> wrote: > Hi everyone, > > We’re considering how/how-much we can make www.cpan.org TLS-only. > http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html > > I expect that we can’t make the whole site TLS-only without breaking some > CPAN clients, so the conservative version is to force TLS for > > - any url ending in *.html > - any url not in matching some variation of > (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ ) > > Does that sound about right? Maybe /src/, too? > > (Also - we will support TLS for www.cpan.org permanently now, so please > update URLs where possible and appropriate). >
I'm just side-stepping the "what" momentarily to ascertain the "why". I know plain-text is "insecure", but its not clear currently from this proposal what content needs securing, and what the real vulnerabilities this aims to solve are. There probably are some, but it needs to be much more clear. Specifically, so we know the solution we pick fixes the problem we know is there, and so its obvious that the downsides of the chosen solution are necessary. As it stands, it *looks* like the argument is "we're going to do this because otherwise google might be more shouty". ( I assume it isn't, just from the context I have that's all I've got to go on, so I'm looking for additional context ) > Ask -- Kent KENTNL - https://metacpan.org/author/KENTNL
