Re: Making www.cpan.org TLS-only

2017-09-05 Thread Ask Bjørn Hansen 


> On Sep 5, 2017, at 11:22 , Leo Lapworth  wrote:
> 
> Would (at least for the short term) just adding the HSTS header to every 
> request be the best solution? Then browsers get told to switch to secure and 
> other clients can do either.

HSTS only works on TLS requests, so you have to get the browser to use that 
first and then it’ll pay attention to the header (and use TLS across all 
requests).

Ask

Re: Making www.cpan.org TLS-only

2017-09-05 Thread Leo Lapworth 
On 5 September 2017 at 09:31, Leon Timmermans  wrote:

> On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen  wrote:
>
>> > Among things that should allow non-TLS: I would include /src/.  Also
>> the top-level RECENT files, things in /indices/.
>>
>> +1.
>>
>> Maybe it makes more sense to reverse the logic and just targeting
>> whatever the most popular[1] web pages for browsers and count on HSTS
>> having the browsers sort it out; basically an expanded version of what we
>> did now with just the home page.
>
>
I see a comment about something having broken cpanminus when someone
doesn't have LWP::Protocol::https installed:
http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html#comment-form

Would (at least for the short term) just adding the HSTS header to every
request be the best solution? Then browsers get told to switch to secure
and other clients can do either.

n.b versions of Opera has some issues with TLS 1.2 not being enabled and
getting disabled again https://github.com/metacpan/metacpan-web/issues/1967

Thanks

Leo

Re: Making www.cpan.org TLS-only

2017-09-05 Thread Leon Timmermans 
On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen  wrote:

> > Among things that should allow non-TLS: I would include /src/.  Also the
> top-level RECENT files, things in /indices/.
>
> +1.
>
> Maybe it makes more sense to reverse the logic and just targeting whatever
> the most popular[1] web pages for browsers and count on HSTS having the
> browsers sort it out; basically an expanded version of what we did now with
> just the home page.


That sounds like a more sensible approach to me.

Leon