On Tue, May 10, 2016 at 11:39:44AM +0000, Giancarlo Razzolini wrote: > Em maio 10, 2016 1:29 Bob Beck escreveu: > > > > And statements like this - and people that think this is a good idea, > > are why I spoof DNS answers in bars and coffee shops, and why I don't > > read misc@. This is never a good idea, unless you want the > > connections intercepted and MITM'ed. > > > > I don't see the issue with this Bob. Of course it means the first access is > the one with very high value. But as it is with HPKP, and as it is with SSH > itself. I see that you guys are working on having openbsd included in HTTPS > Everywhere and all. But it still leaves it up to the user. If you put HSTS on > top of a one time redirect, the client will never again access the site using > http. It is a concession. One that you don't seem keen to make. And, on a > second thought, I only care for the anon csv page where you have the ssh host > keys. The rest of the site can be left unencrypted. Until every UA is changed > to first try TLS and *only then* fall back to clear text http, this kind of > measure has its uses.
We are not working on the HTTPS Everywhere rules for *.openbsd.org. The guy who sent the pull request is not part of the project. -- Juan Francisco Cantero Hurtado http://juanfra.info
