On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote: > > Right now we seem to have a mix: > > * A number of webpages default to http and have optional https > > (www.gentoo.org) > > * Some with sensitive logins are already https by default (e.g. > > bugs.gentoo.org), but they don't use hsts, which they should > > * Some with logins are mixed http/login-via-https, which makes them > > vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org) > Don't forget the forum (http://forums.gentoo.org/). Even if you connect > to https://forums.gentoo.org/ it will always fall back to HTTP. I can't reproduce this downgrade that you describe; please provide some steps to show it?
-- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
