-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 2/25/20 17:29, Mark Thomas wrote: > On 25/02/2020 20:45, Christopher Schultz wrote: >> Mark, >> >> On 2/25/20 14:34, Mark Thomas wrote: >>> On 25/02/2020 15:53, Felix Schumacher wrote: >>>> Hi all, >>>> >>>> as more and more browsers are marking http as unsecure, we >>>> should redirect all http requests to tomcat.apache.org to >>>> https. >> >>> I really don't like this. >> >>> I'm happy to support https for those people that want to use it >>> but I see no need to require https for everybody for >>> tomcat.apache.org. >> >>> We should not be dictating to our users what security / privacy >>> / caching / performance / etc. trade-offs are appropriate for >>> them. We should support as many options as possible and let our >>> users decided. >> >>> I'm not quite -1 on this but I am close. >> >> https://www.troyhunt.com/heres-why-your-static-website-needs-https/ > >> > Sorry, not convinced. We need to let users make this choice. > > The numbers are significant. > > tomcat.apache.org from China can be significantly slower over > https compared to http. Typically 2 to 3 times slower in my testing > with > > https://www.websitepulse.com/tools/china-firewall-test# > > 3.5s to 8s to load the index page over https compared to ~1.5s > over http. That said, I didn't repeat the test enough for those > results to be considered statistically reliable. Plus, the Great Firewall is already a giant MiTM, so forcing HTTPS doesn't really prevent them from performing whatever content filtering/tampering they want, anyway. > Not everyone has a low latency, high bandwidth connection to the > internet. We need to let the users decide if they want to pay the > performance penalty for the benefits of https or not. We should not > be assuming we know best for everyone. What's a few three-legged handshakes between friends? Hopefully TLSv1.3 will improve things for everyone. Well, unless they are deployed in AWS (*ducks*). - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpQIACgkQHPApP6U8 pFjIKxAAuJkW5JCWyPc7cKvumAEO1bEws9LvngupUxPevsEnkG2smw2sGo46N8cj YSWBTo+XJawKQGyPt9C9QEXgw7c2L0YYK6yrMfEz+pEErZwXB1hpREn8PaBzlvgC fHJoj1BakHbWyS8lGRP7ninkpUWav1ZLOOVZnPJTMIG/wQqSM29TcO6wDPWTVVOD SJzA7adP4XZAQMGq0hiNphZzqWOdLweF2pScb0avB6Pzin0AzJdCoItCCC+PiLY1 iOJ7gv6WPYrvrqjQGXxbwZH8cjg/nQbTlf1QOBAoCP+/MNIECT4vsmJcBuWa07e8 4cpS/4b1RqGCL8m68Emmv1uhrqR5oShIJ4bVUprK4c4xLhtCGrRBRv9bgdyKjVq6 gzDMl+qju46RniLMNJ9AzbMByfGTbf97tbjJjP9Hhnn3fuaG/2yOnotL+32eNdGU SmprXNb3l9vbnfyqsDLP2Nn82btHE7FsmsCeA7AvccMSF7lB8iq7MSub4m6TuVsG Jwtgnz8WnuajNh5SAfA+xDhvMd2KMOGg1f/vPLXr4vEOT3t2bWZxgVUN4DM3+FTF 0UNl4DDYijQ6SdejAkS4XhSBqPUpyA8txE56uNkhS51qrDxA9VDbjoQzQ2hYieUg RBW2JSeMqxF2qOwLbo3hmJTnYlEJnWhaMWuG2+az7mPlnrY4xU4= =AapR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
