URL:
<http://gna.org/task/?7989>
Summary: Freeciv clients to access meta.freeciv.org over
HTTPS
Project: Freeciv
Submitted by: jtn
Submitted on: Mon 04 Jul 2016 11:03:41 PM BST
Should Start On: Mon 04 Jul 2016 12:00:00 AM BST
Should be Finished on: Mon 04 Jul 2016 12:00:00 AM BST
Category: None
Priority: 5 - Normal
Status: Need Info
Privacy: Public
Percent Complete: 0%
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Effort: 0.00
Planned Release:
_______________________________________________________
Details:
Following on from task #7988, it would be natural to ask whether clients
should start to access the metaserver, meta.freeciv.org, over HTTPS by
default.
The biggest problem I see is with our shipping Windows clients. I think these
ship with an entire HTTP(S) implementation (Curl) that I think never gets
updates, whereas the modern HTTPS world assumes clients (== browsers) are
frequently updated. So if we start having clients making use of that HTTPS
implementation, we're obliged to keep our metaserver able to talk to those old
clients for a long time.
This might complicate our administration; we might have to keep old deprecated
algorithms and methods enabled on our web server, possibly increasing our
attack surface, and in the worst case we may not be able to get renewed
certificates that are compatible with our oldest clients.
(Surely the algorithms and so on in our shipped Curl are frozen in time. I'm
less sure whether the CA, revocation, etc data is also frozen or whether it
can magically use CA information from the operating system, i.e. what Internet
Explorer uses, which is more likely to be kept up to date.)
So I think this may be more trouble than it's worth.
_______________________________________________________
Reply to this item at:
<http://gna.org/task/?7989>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev
