On Sat, 08 Oct 2016 16:58:28 -0400 Richard Stallman <[email protected]> wrote:
> > A couple people have raised concerns about Savannah and whether > > it meets criteria C6, which states: "Support HTTPS properly and > > securely, including the site's certificates." > > The first one seems to be trying to distort the meaning of those > words. To support HTTPS does NOT mean to refuse to support HTTP. It says to support HTTPS properly and *securely*. The current variant is not secure, it is vulnerable to SSL Stripping attacks. That's why HSTS was invented in the first place. > > > * Remove the nonsensical login option and make security the > > > default. > > > * Redirect all http queries to https. > > > * Set an HSTS header to avoid accidental http access. > > Those are not necessary. There is no need for sites to refuse > to support HTTP. Can you explain that? Leaving the HTTP default open means people's access credentials can be stolen by an active attacker - even if they think they're using https because of the misleading option at the login screen. I don't think leaving people vulnerable to such attacks is ethical. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpOG7hO8sajX.pgp
Description: OpenPGP digital signature
