On 2018-01-15, who one <whoonet...@mail.com> wrote: > Hello, > > http://www.openbsdfoundation.org/ > http://firmware.openbsd.org/firmware/ > > When can we have HTTPS connection on these websites? > > What website remains that doesn't have HTTPS yet and related to OpenBSD? > > Security should be in layers, HTTPS is one additional layer. > > 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ , > see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD is > security oriented, HTTPS should be de facto. > > Many thanks. > >
I can't speak for openbsdfoundation, but for firmware.openbsd.org it's hosted on various machines run by different people. I'm not sure if there's any viable way to handle keys and certificates for this type of situation. Firmware packages do have signify(1) signatures themselves. These are verified early - before passing to gzip to decompress them. However there is a remaining issue that a MITM could suppress certain packages, or provide older signed versions.
