Re: Making www.cpan.org TLS-only

> On Sep 5, 2017, at 11:22 , Leo Lapworth wrote: > > Would (at least for the short term) just adding the HSTS header to every > request be the best solution? Then browsers get told to switch to secure and > other clients can do either. HSTS only works on TLS requests, so

Re: Making www.cpan.org TLS-only

On 5 September 2017 at 09:31, Leon Timmermans wrote: > On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen wrote: > >> > Among things that should allow non-TLS: I would include /src/. Also >> the top-level RECENT files, things in /indices/. >> >> +1. >> >> Maybe

Re: Making www.cpan.org TLS-only

On Tue, Sep 5, 2017 at 6:34 AM, Ask Bjørn Hansen wrote: > > Among things that should allow non-TLS: I would include /src/. Also the > top-level RECENT files, things in /indices/. > > +1. > > Maybe it makes more sense to reverse the logic and just targeting whatever > the most

Re: Making www.cpan.org TLS-only

On Fri, Sep 01, 2017 at 12:48:02PM -0400, Olaf Alders wrote: > As an (interesting?) aside, the Net::HTTP test suite just broke because of > the 301 from http://www.cpan.org to https://www.cpan.org > https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made > some assumptions

Re: Making www.cpan.org TLS-only

On Aug 31, 2017, at 9:10 PM, Ask Bjørn Hansen wrote: > Hi everyone, > > We’re considering how/how-much we can make www.cpan.org TLS-only. > http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html > > I expect that we can’t make the whole site TLS-only without breaking some >

Re: Making www.cpan.org TLS-only

> downloading CPAN content roughly to: > internet connection to not muck with the code you receive. > > Obviously the real fix here is that clients need to request via TLS (since I > doubt any clients other than regular browsers support HSTS). I was under the impression that any "code" ( eg:

Re: Making www.cpan.org TLS-only

The Google change was the impetus to get around to it. Clients should use TLS to request content. It limits the trust for downloading CPAN content roughly to: - The author - PAUSE system maintainers - perl.org infrastructure maintainers - Fastly - Global CA infrastructure Without TLS you

Re: Making www.cpan.org TLS-only

On 1 September 2017 at 13:10, Ask Bjørn Hansen wrote: > Hi everyone, > > We’re considering how/how-much we can make www.cpan.org TLS-only. > http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html > > I expect that we can’t make the whole site TLS-only without breaking some >

Re: Making www.cpan.org TLS-only

On Fri, 1 Sep 2017, Ask Bjørn Hansen wrote: Date: Fri, 1 Sep 2017 03:10:12 +0200 From: Ask Bjørn Hansen <a...@perl.org> To: cpan-workers@perl.org Subject: Making www.cpan.org TLS-only Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2

Re: Making www.cpan.org TLS-only

Uh, there’s no “SSL” anymore. The newer versions of SSL have been “TLS” since the end of the nineties. https://en.wikipedia.org/wiki/Transport_Layer_Security That being said, the suggested change here is to require HTTPS for www.cpan.org by redirecting all plain-text HTTP requests to the HTTPS

Re: Making www.cpan.org TLS-only

On one hand SSL (especially openssl) has received a lot of negative publicity about being insecure, so your proposal has merit. The counter argument is that Perl and CPAN strive to be relevant for ancient, old, young and brand-spanking-new installations. Forcing TLS would likely break some older

Re: Making www.cpan.org TLS-only

> On Aug 31, 2017, at 19:44, James E Keenan wrote: > > To be honest, I had no idea what 'TLS' meant when I first read this message. > So I can't say anything one way or the other about your proposal. > > I suspect I'm not alone in this. I would encourage you to post in a

Re: Making www.cpan.org TLS-only

On 08/31/2017 09:10 PM, Ask Bjørn Hansen wrote: Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative

Making www.cpan.org TLS-only

Hi everyone, We’re considering how/how-much we can make www.cpan.org TLS-only. http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for - any url ending in