On Aug 31, 2017, at 9:10 PM, Ask Bjørn Hansen <a...@perl.org> wrote:
> Hi everyone, > > We’re considering how/how-much we can make www.cpan.org TLS-only. > http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html > > I expect that we can’t make the whole site TLS-only without breaking some > CPAN clients, so the conservative version is to force TLS for > > - any url ending in *.html > - any url not in matching some variation of > (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ ) > > Does that sound about right? Maybe /src/, too? > > (Also - we will support TLS for www.cpan.org permanently now, so please > update URLs where possible and appropriate). That file does not prevent someone from taking over the domain and modifying the files. Nor will it notice man-in-the-middle attacks. Without Any request without TLS has no proof of domain control. That, along with encryption, is the driving force behind the current “TLS for everything” movement. Best, David
signature.asc
Description: Message signed with OpenPGP
