Re: [Enigmail] https://www.enigmail.net/download/source.php contains http links
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 18.04.15 14:15, Daniel Kahn Gillmor wrote: On Sat 2015-04-18 12:43:07 +0200, Alexander Buchner wrote: Are there reasons against using HSTS for the whole site? Nope, i don't think there are any reasons for enigmail.net to avoid HSTS. It would be even better to get the domain added to the preload list: https://hstspreload.appspot.com/ If you don't have control over the HTTP headers, but you can run PHP, you may be able to use the header() function [0] like this: HSTS is now enabled; the request for integration into hstspreload is pending. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVNmozAAoJENsRh7ndX2k7PTEP/R9jLyX41Y5GrwvbTBRU6ivb HF0GzJkQIajfqKJim8Lqpu1j8+IQW8egFkbeekiCDLp0F+fa0OT7w5bMaBeaR8rM dNsZSktcxJ/NBkVEs74YOyhRvB3+dhiN47a8/C0GOMrcUsqiXmO3JZxdU7WyN0p+ ygr1OUoZsymuZWyOFBdFuFGZEyxIQFsbRTbR2cksR20wa/v0MjUqga3swHzH6Yli KtFBvR08vqfFFSmUUjO5472YP6ZJwhZQB7wzjYFOKOeS6Xg9BFBkm4N351F21FlX EgK20YwVxayT5feOIrSUyVorm3k2ODa/+toiISucmvVlhpEzBA639ZYhqule8S9j HEO6s5mC/Vn8791uOU1RoVZrhwsoZrMPdr0wmcBiZHLx6ag3kY+S9n7UjWjanEoH KmxaXUUeBYcn5iPvKilCL5Eb1OCkJxu7ghuHmINfJURFnbOSq5XQ3ed9VgbkJqMq yf4tqAh9bbPM36yYIWjUwGbJlwyL9OyRi8kezZDV1IKj/C/xumj8gKfAZ2uDERqY dEU52HChfxLdW1vgseQVyzQOhUxMYgOmYozthLJvCniWLuWBgR/HzXCVLdHmRlAU 2qFIUYC4l2qx4gcHkQCgNdiMFlU2xmPmqiLt0C/nOhoG9M+iDrmX1iVH9N2kpNdr 71hgUeiGBdLRa0ETiqcn =BWVs -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] https://www.enigmail.net/download/source.php contains http links
On 18.04.2015 12:00, Olav Seyfarth wrote: Hi Daniel, I just noticed that https://www.enigmail.net/download/source.php seems to contain cleartext http links for the sourcecode tarballs (e.g. http://www.enigmail.net/download/source/enigmail-1.8.2.tar.gz). thanks for notifying, fixed by Patrick 2 hours ago (I was too slow ...) Olav Are there reasons against using HSTS for the whole site? signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] https://www.enigmail.net/download/source.php contains http links
On Sat 2015-04-18 12:43:07 +0200, Alexander Buchner wrote: On 18.04.2015 12:00, Olav Seyfarth wrote: Hi Daniel, I just noticed that https://www.enigmail.net/download/source.php seems to contain cleartext http links for the sourcecode tarballs (e.g. http://www.enigmail.net/download/source/enigmail-1.8.2.tar.gz). thanks for notifying, fixed by Patrick 2 hours ago (I was too slow ...) Are there reasons against using HSTS for the whole site? Nope, i don't think there are any reasons for enigmail.net to avoid HSTS. It would be even better to get the domain added to the preload list: https://hstspreload.appspot.com/ If you don't have control over the HTTP headers, but you can run PHP, you may be able to use the header() function [0] like this: header(Strict-Transport-Security: max-age=10886400; includeSubDomains; preload); --dkg [0] http://php.net/manual/en/function.header.php ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] https://www.enigmail.net/download/source.php contains http links
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Daniel, I just noticed that https://www.enigmail.net/download/source.php seems to contain cleartext http links for the sourcecode tarballs (e.g. http://www.enigmail.net/download/source/enigmail-1.8.2.tar.gz). thanks for notifying, fixed by Patrick 2 hours ago (I was too slow ...) Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBCAAGBQJVMitDAAoJEKGX32tq4e9WMrYMAJDFXSqiBYTWGD5csTf4tlla AV3jDsbO1emQYngcMk0RktLKUXryXjrYS53m4H/C4GTtuCr8sBWKAHLHGKB3GbFD ICUptW8m3UYmCn/T3F5NCmKRjOw9Wkv2IiUUi6yRTd9az2gEAYP7l+PaXBAQY+f5 z0BVlaZ+Bko1OLLdEOcizXCh5q/6DSZGwBTj8LTN8Jo6d3EvMXncd0u+TY6snr6q 0+7LnehmnuEZ7n9rtNqq646PbNNBN2IFDJvRFeKb+9TnLtJxV8qErvmwjFCzkFE8 gPgoRwwnp3IIMyoDytlthlqJI0HXEIfnoUtsa2+Zc/IgnDBwZQkl8psvpDtokonc FZr+ymx5BPhODrwikE2aJDj/3f5elJeYcaQ+qBbokExzKW5jjGX2TVmNtH8sT/El qvMFpGzTfTIyzEkpMTplHGRNyheMw8sBimLgexJd78eAPjLSRTEFS8KHc2HcOY0c SscDOGuxr7+Z3EDckxkL0cDdNyhC/dbOmargtMQldQ== =bFpe -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] https://www.enigmail.net/download/source.php contains http links
Hi enigmail folks-- I just noticed that https://www.enigmail.net/download/source.php seems to contain cleartext http links for the sourcecode tarballs (e.g. http://www.enigmail.net/download/source/enigmail-1.8.2.tar.gz). I don't think https is a legitimate substitute for proper signatures over software (that's properly handled by the .asc signatures for enigmail already), i see no reason to push users back to cleartext when https is already set up. can those links be updated to use https? --dkg ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net