Re: HSTS and expired cert: our site is down for now

2017-04-11 Thread Florent Daigniere 
On Tue, 2017-04-11 at 13:28 -0300, Fernando Mumbach wrote:
> Thank you Florent for answering in such a well explained form.
> 
> If the subdomain "downloads" is deprecated, how are we supposed to
> get the seednodes for the first install?


They are shipped with the various installers we provide; but that
doesn't help the package managers...

> As of now, the AUR package for freenet is totally broken because you 
> can't download that file, so I'm assuming it's going to move to S3?

Or github. Whatever our release manager decides.

> If the plan is moving to S3, why not make a
> downloads.freenetproject.org a CNAME pointing to the S3 bucket, so we
> can keep the paths and everything would JustWork? (AFAIK, never tested
> using CNAMEs with S3)
> 


Making something like that work could have been possible if it was
planned... but would have been risky (most "clients" pin the
certificate). Changing to a different FQDN and hierarchy makes a lot of
sense since all the places that do reference the existing URLs will have
to be touched anyway.

That vhost does various kinds of redirect-based magic (/latest/ but also
the .url and the .registry files) under the scene and that is non
straightforward to emulate with S3. I have sent an email months ago
saying that downloads.freenetproject.org was going away... no one has
objected at the time.

> So much confusion around this issue. I understand 100% of the work is 
> voluntary, but this became a mess in no time, and seems like no one 
> wants to take responsibility.
> 
> 
> I'm still not sure about these:
> - I should be able to update from freenet itself, but what about new 
> users? Where do they get the initial files?


Currently from github. The project's officially supported installer do
ship with a seednode file (don't ask me how it's updated; it's probably
not :p)

> - The update script for the new version should be working, but how am
> I supposed to update using the script if the URLs change?


I don't think it is. Fred can update the script in place on
existing/working installs (again, that doesn't help packagers I guess).


> - Has anyone started a petition for AWS non profits? I remember
> reading that some open source projects get free credits on Amazon
> AWS¹. These credits could help pay the hosting services.
> 
> ¹: https://aws.amazon.com/government-education/nonprofits/?nc1=h_ls
> 


That's on my TODO (after finishing the migration).

Florent

> On 11-04-2017 05:38, Florent Daigniere wrote:
> > On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote:
> > > Hello,
> > > 
> > 
> > Hi Fernando,
> > 
> > Since no one is replying to you, I will attempt to...
> > 
> > 
> > > downloads.freenetproject.org is still using the old cert,
> > 
> > It is a feature, not a bug :)
> > 
> > The plan was to drop that FQDN... and then at the last minute, Arne
> > has
> > decided to release a build (1478) that has changed the plan.
> > 
> > I have made it clear that it wouldn't work... but been ignored.
> > 
> > 
> > >   and the archlinux package fails to update because the cert is
> > > invalid. Did you maybe forgot to also update the subdomain?
> > 
> > The plan has always been to drop that vhost altogether. I haven't
> > dropped it because of the last minute change to the plan, that's
> > all.
> > 
> > Its organization doesn't make sense (keeping alpha in the path, ...)
> > and
> > is unsuitable for everyone (packagers, build tools that expect
> > metadata,
> > ...), not to mention that it costs the project money to keep the VPS
> > it
> > sits on up. That's why I am keen on getting rid of it once and for
> > all.
> > 
> > The initial plan was to setup a new vhost (mvn.freenetproject.org)
> > that
> > would be AWS/S3 baked and would provide a maven-like repository
> > structure we would push our builds to (and that packagers,
> > installers,
> > build tools, ... ) could use.
> > 
> > Just like you, I have zero visibility on what is supposed to be
> > happening... or what the current plan is; rest assured that it's not
> > just the various packages that are broken (1478 doesn't magically
> > bypass
> > the certificate expiry check and has obviously not received any
> > testing
> > before being released).
> > 
> > I have stopped to work on next since that isn't where the builds are
> > being released from anymore...
> > 
> > 
> > >   The subdomain "wiki" works okay for me (it redirects correctly
> > > to
> > > github). I do not know of others subdomains, but we should test
> > > all
> > > the domains.
> > > 
> > 
> > All the domains for which a plan did exist have been migrated
> > (website,
> > bugs, wiki). Those that haven't will see their DNS entry removed
> > soon
> > (doc-fr, testing, old-wiki, archives, downloads, emu).
> > 
> > Florent
> > 
> > > On 05-04-2017 20:35, Arne Babenhauserheide wrote:
> > > > Hi,
> > > > 
> > > > The certificate expired and we use HTTP Strict Transport
> > > > Security
> > > > (HSTS). That means: Our old site is down until the DNS

Re: HSTS and expired cert: our site is down for now

2017-04-11 Thread Fernando Mumbach 

Thank you Florent for answering in such a well explained form.

If the subdomain "downloads" is deprecated, how are we supposed to get 
the seednodes for the first install?
As of now, the AUR package for freenet is totally broken because you 
can't download that file, so I'm assuming it's going to move to S3?
If the plan is moving to S3, why not make a downloads.freenetproject.org 
a CNAME pointing to the S3 bucket, so we can keep the paths and 
everything would JustWork? (AFAIK, never tested using CNAMEs with S3)


So much confusion around this issue. I understand 100% of the work is 
voluntary, but this became a mess in no time, and seems like no one 
wants to take responsibility.



I'm still not sure about these:
- I should be able to update from freenet itself, but what about new 
users? Where do they get the initial files?
- The update script for the new version should be working, but how am I 
supposed to update using the script if the URLs change?
- Has anyone started a petition for AWS non profits? I remember reading 
that some open source projects get free credits on Amazon AWS¹. These 
credits could help pay the hosting services.


¹: https://aws.amazon.com/government-education/nonprofits/?nc1=h_ls

On 11-04-2017 05:38, Florent Daigniere wrote:

On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote:

Hello,


Hi Fernando,

Since no one is replying to you, I will attempt to...



downloads.freenetproject.org is still using the old cert,

It is a feature, not a bug :)

The plan was to drop that FQDN... and then at the last minute, Arne has
decided to release a build (1478) that has changed the plan.

I have made it clear that it wouldn't work... but been ignored.



  and the archlinux package fails to update because the cert is
invalid. Did you maybe forgot to also update the subdomain?

The plan has always been to drop that vhost altogether. I haven't
dropped it because of the last minute change to the plan, that's all.

Its organization doesn't make sense (keeping alpha in the path, ...) and
is unsuitable for everyone (packagers, build tools that expect metadata,
...), not to mention that it costs the project money to keep the VPS it
sits on up. That's why I am keen on getting rid of it once and for all.

The initial plan was to setup a new vhost (mvn.freenetproject.org) that
would be AWS/S3 baked and would provide a maven-like repository
structure we would push our builds to (and that packagers, installers,
build tools, ... ) could use.

Just like you, I have zero visibility on what is supposed to be
happening... or what the current plan is; rest assured that it's not
just the various packages that are broken (1478 doesn't magically bypass
the certificate expiry check and has obviously not received any testing
before being released).

I have stopped to work on next since that isn't where the builds are
being released from anymore...



  The subdomain "wiki" works okay for me (it redirects correctly to
github). I do not know of others subdomains, but we should test all
the domains.


All the domains for which a plan did exist have been migrated (website,
bugs, wiki). Those that haven't will see their DNS entry removed soon
(doc-fr, testing, old-wiki, archives, downloads, emu).

Florent


On 05-04-2017 20:35, Arne Babenhauserheide wrote:

Hi,

The certificate expired and we use HTTP Strict Transport Security
(HSTS). That means: Our old site is down until the DNS can be
switched
over to the AWS site.

Let’s treat this as a test of what would happen if an attacker were
to
take down our clearnet infrastructure.

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken

Re: HSTS and expired cert: our site is down for now

2017-04-11 Thread Florent Daigniere 
On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote:
> Hello,
> 

Hi Fernando,

Since no one is replying to you, I will attempt to...


> downloads.freenetproject.org is still using the old cert,

It is a feature, not a bug :)

The plan was to drop that FQDN... and then at the last minute, Arne has
decided to release a build (1478) that has changed the plan.

I have made it clear that it wouldn't work... but been ignored.


>  and the archlinux package fails to update because the cert is
> invalid. Did you maybe forgot to also update the subdomain?

The plan has always been to drop that vhost altogether. I haven't
dropped it because of the last minute change to the plan, that's all.

Its organization doesn't make sense (keeping alpha in the path, ...) and
is unsuitable for everyone (packagers, build tools that expect metadata,
...), not to mention that it costs the project money to keep the VPS it
sits on up. That's why I am keen on getting rid of it once and for all.

The initial plan was to setup a new vhost (mvn.freenetproject.org) that
would be AWS/S3 baked and would provide a maven-like repository
structure we would push our builds to (and that packagers, installers,
build tools, ... ) could use.

Just like you, I have zero visibility on what is supposed to be
happening... or what the current plan is; rest assured that it's not
just the various packages that are broken (1478 doesn't magically bypass
the certificate expiry check and has obviously not received any testing
before being released). 

I have stopped to work on next since that isn't where the builds are
being released from anymore...


>  The subdomain "wiki" works okay for me (it redirects correctly to
> github). I do not know of others subdomains, but we should test all
> the domains.
> 

All the domains for which a plan did exist have been migrated (website,
bugs, wiki). Those that haven't will see their DNS entry removed soon
(doc-fr, testing, old-wiki, archives, downloads, emu).

Florent

> 
> On 05-04-2017 20:35, Arne Babenhauserheide wrote:
> > Hi,
> > 
> > The certificate expired and we use HTTP Strict Transport Security
> > (HSTS). That means: Our old site is down until the DNS can be
> > switched
> > over to the AWS site.
> > 
> > Let’s treat this as a test of what would happen if an attacker were
> > to
> > take down our clearnet infrastructure.
> > 
> > Best wishes,
> > Arne
> > --
> > Unpolitisch sein
> > heißt politisch sein
> > ohne es zu merken

signature.asc
Description: This is a digitally signed message part

Re: HSTS and expired cert: our site is down for now

2017-04-09 Thread Fernando Mumbach 

Hello,

downloads.freenetproject.org is still using the old cert, and the 
archlinux package fails to update because the cert is invalid.
Did you maybe forgot to also update the subdomain? The subdomain "wiki" 
works okay for me (it redirects correctly to github).

I do not know of others subdomains, but we should test all the domains.


On 05-04-2017 20:35, Arne Babenhauserheide wrote:

Hi,

The certificate expired and we use HTTP Strict Transport Security
(HSTS). That means: Our old site is down until the DNS can be switched
over to the AWS site.

Let’s treat this as a test of what would happen if an attacker were to
take down our clearnet infrastructure.

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Florent Daigniere 
On Thu, 2017-04-06 at 17:19 +, Ian Clarke wrote:
>  On Thu, Apr 6, 2017 11:19 AM, Florent Daigniere nextgens@freenetproje
> ct.org wrote:
> > On Thu, 2017-04-06 at 15:08 +, Ian wrote:
> > >  Well, it's an improvement over what we have now even if it is
> > > incomplete :)
> > > Just for clarity, what is the procedure for deploying
> > improvements?
> > 
> > Pushing them to the existing repository on a different branch.
> > Travis
> > will auto-build/deploy from there if the build succeeds.
> > 
> > The list of authorized people/process hasn't changed; anyone not on
> > the
> > list has to send a pull request.
> > 
> 
> Where is the list?

https://github.com/freenet/website/settings/collaboration

>   Any chance you can provide a top-down overview of the setup, or if
> this is documented anywhere can you point me to it?  Maybe I've just
> been out-of-the-loop but I definitely don't have a good top-down
> understanding of the setup.  At least 2 people should have a good
> enough understanding of this to admin it.
> 

It's as simple as it can get:
1) Code lands on https://github.com/freenet/website/tree/2016-redesign
2) Travis runs https://travis-ci.org/freenet/website using 
https://github.com/freenet/website/blob/2016-redesign/.travis.yml
that builds and deploy the website to an AWS s3 bucket

Anyone with push access can change the travis config file and influence
the build process.

> > Now that it's live hopefully multiple people can fork it and start
> > pushing improvements which we can review and merge.  
> > We should have an approval process for it - it would be ideal if we
> > had staging where changes could be reviewed live before being pushed
> > to production.
> 
> That's the plan. When I get some time I will set it up (two branches,
> deploying to two different buckets/FQDNs, like we used to have).
> 
> I'm puzzled, when you said:
> 
> I won't have time to do anything more for the foreseeable future.
> 
> I assumed it meant that we couldn't expect you to do any more work on
> this, did I misunderstand?
> 

I have poorly expressed myself, what I meant is that I have little time
and visibility on my calendar for the next few weeks... and that I
currently don't have access to all the credentials I hold on behalf of
FPI (I am abroad).


> > Florent, if you won't have time to do anything for the foreseeable
> > future, is there someone else familiar enough with how things are
> set
> > up that they can work on it?
> 
> Right now there is still massive amounts of work to be done on the
> content; IMHO a two step review process would be overkill for now...
> 
> Ok, I agree that we should minimize red tape while there is still a
> lot to be done.
> 
> > It would be well worth spending some of our funding to hire an AWS
> > expert to ensure everything is set up nicely and minimize the risk
> of
> > something like this happening in future.  I have a good guy in mind
> > (used to work for Amazon so very familiar with AWS).
> > Thoughts?
> 
> I don't think it would be. This happened because we weren't using AWS
> yet. Our new setup is rock-solid and fairly standard: it's an S3
> bucket where the content is served by cloudfront.
> 
> I was mostly motivated by the fact that I thought you said you
> wouldn't be able to do any more, and yet you seem to be the only
> person who knows how everything fits together.  Please correct me if
> I'm wrong,
> 
> I just want to  make sure we don't end up in a situation again where
> something breaks and the only person who can fix it is unavailable.
>  If we can pay someone competent to help us to get to this point I
> think it would be well worth it - but happy to discuss if you think
> differently.
> 

I am not the only person who can fix it, the bus-factor is catered for;
Steve has all the credentials... as for the lack of documentation, it's
lacking for both the legacy and "new" infrastructure.

Feel free to start a page about it on the new wiki ;)

Florent

signature.asc
Description: This is a digitally signed message part

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Ian Clarke 
On Thu, Apr 6, 2017 11:19 AM, Florent Daigniere nextg...@freenetproject.org 
wrote:
On Thu, 2017-04-06 at 15:08 +, Ian wrote:

>  Well, it's an improvement over what we have now even if it is

> incomplete :)

> Just for clarity, what is the procedure for deploying improvements?




Pushing them to the existing repository on a different branch. Travis

will auto-build/deploy from there if the build succeeds.




The list of authorized people/process hasn't changed; anyone not on the

list has to send a pull request.




Where is the list?  Any chance you can provide a top-down overview of the setup,
or if this is documented anywhere can you point me to it?  Maybe I've just been
out-of-the-loop but I definitely don't have a good top-down understanding of the
setup.  At least 2 people should have a good enough understanding of this to
admin it.


> Now that it's live hopefully multiple people can fork it and start
> pushing improvements which we can review and merge.

> We should have an approval process for it - it would be ideal if we

> had staging where changes could be reviewed live before being pushed

> to production.




That's the plan. When I get some time I will set it up (two branches,

deploying to two different buckets/FQDNs, like we used to have).




I'm puzzled, when you said:
I won't have time to do anything more for the foreseeable future.
I assumed it meant that we couldn't expect you to do any more work on this, did
I misunderstand?


> Florent, if you won't have time to do anything for the foreseeable
> future, is there someone else familiar enough with how things are set

> up that they can work on it?




Right now there is still massive amounts of work to be done on the

content; IMHO a two step review process would be overkill for now...




Ok, I agree that we should minimize red tape while there is still a lot to be
done.


> It would be well worth spending some of our funding to hire an AWS
> expert to ensure everything is set up nicely and minimize the risk of

> something like this happening in future.  I have a good guy in mind

> (used to work for Amazon so very familiar with AWS).

> Thoughts?




I don't think it would be. This happened because we weren't using AWS

yet. Our new setup is rock-solid and fairly standard: it's an S3 bucket

where the content is served by cloudfront.




I was mostly motivated by the fact that I thought you said you wouldn't be able
to do any more, and yet you seem to be the only person who knows how everything
fits together.  Please correct me if I'm wrong,
I just want to  make sure we don't end up in a situation again where something
breaks and the only person who can fix it is unavailable.  If we can pay someone
competent to help us to get to this point I think it would be well worth it -
but happy to discuss if you think differently.
Ian.

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Florent Daigniere 
On Thu, 2017-04-06 at 15:08 +, Ian wrote:
>  Well, it's an improvement over what we have now even if it is
> incomplete :)
> Just for clarity, what is the procedure for deploying improvements?

Pushing them to the existing repository on a different branch. Travis
will auto-build/deploy from there if the build succeeds.

The list of authorized people/process hasn't changed; anyone not on the
list has to send a pull request.

> Now that it's live hopefully multiple people can fork it and start
> pushing improvements which we can review and merge.  
> We should have an approval process for it - it would be ideal if we
> had staging where changes could be reviewed live before being pushed
> to production.

That's the plan. When I get some time I will set it up (two branches,
deploying to two different buckets/FQDNs, like we used to have).

> Florent, if you won't have time to do anything for the foreseeable
> future, is there someone else familiar enough with how things are set
> up that they can work on it?

Right now there is still massive amounts of work to be done on the
content; IMHO a two step review process would be overkill for now...

> It would be well worth spending some of our funding to hire an AWS
> expert to ensure everything is set up nicely and minimize the risk of
> something like this happening in future.  I have a good guy in mind
> (used to work for Amazon so very familiar with AWS).
> Thoughts?

I don't think it would be. This happened because we weren't using AWS
yet. Our new setup is rock-solid and fairly standard: it's an S3 bucket
where the content is served by cloudfront.

Florent

> Ian.
> 
> 
> On Thu, Apr 6, 2017 2:49 AM, Florent Daigniere nextgens@freenetproject
> .org wrote:
> > I have made the DNS changes; these aren't the problem...
> > 
> > The problem is that the content we serve from the new infrastructure
> > isn't ready... almost a year in the making... so we have never
> > finished
> > the infrastructure switch.
> > 
> > Whatever is pushed to
> > https://github.com/freenet/website/tree/2016-redesign
> > will go live; both of you have access; if you care, fix it :)
> > 
> > I won't have time to do anything more for the foreseeable future.
> > 
> > Florent
> > 
> > On Thu, 2017-04-06 at 00:10 +, Ian wrote:
> > >  Crap, what are we waiting on to get it back up?
> > >
> > >
> > > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de
> > > wrote:
> > > > Hi,
> > > >
> > > > The certificate expired and we use HTTP Strict Transport
> > Security
> > > > (HSTS). That means: Our old site is down until the DNS can be
> > > > switched
> > > > over to the AWS site.
> > > >
> > > > Let’s treat this as a test of what would happen if an attacker
> > were
> > > > to
> > > > take down our clearnet infrastructure.
> > > >
> > > > Best wishes,
> > > > Arne
> > > > --
> > > > Unpolitisch sein
> > > > heißt politisch sein
> > > > ohne es zu merken
> > > >
> > > >
> > 

signature.asc
Description: This is a digitally signed message part

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Dan Roberts 
The jnlp download for Linux requires review and almost certainly
modification. I'm not familiar with jnlp itself but I will try to review it
and the rest of the downloads in the next half hour on public transit. I
don't know if I'll have enough time to complete that this morning however,
it would be great for someone to review that too.

Thanks,
Dan

On Apr 6, 2017 12:49 AM, "Florent Daigniere" 
wrote:

> I have made the DNS changes; these aren't the problem...
>
> The problem is that the content we serve from the new infrastructure
> isn't ready... almost a year in the making... so we have never finished
> the infrastructure switch.
>
> Whatever is pushed to
> https://github.com/freenet/website/tree/2016-redesign
> will go live; both of you have access; if you care, fix it :)
>
> I won't have time to do anything more for the foreseeable future.
>
> Florent
>
> On Thu, 2017-04-06 at 00:10 +, Ian wrote:
> >  Crap, what are we waiting on to get it back up?
> >
> >
> > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de
> > wrote:
> > > Hi,
> > >
> > > The certificate expired and we use HTTP Strict Transport Security
> > > (HSTS). That means: Our old site is down until the DNS can be
> > > switched
> > > over to the AWS site.
> > >
> > > Let’s treat this as a test of what would happen if an attacker were
> > > to
> > > take down our clearnet infrastructure.
> > >
> > > Best wishes,
> > > Arne
> > > --
> > > Unpolitisch sein
> > > heißt politisch sein
> > > ohne es zu merken
> > >
> > >

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Ian 
Well, it's an improvement over what we have now even if it is incomplete :)
Just for clarity, what is the procedure for deploying improvements?
Now that it's live hopefully multiple people can fork it and start pushing
improvements which we can review and merge.
We should have an approval process for it - it would be ideal if we had staging
where changes could be reviewed live before being pushed to production.
Florent, if you won't have time to do anything for the foreseeable future, is
there someone else familiar enough with how things are set up that they can work
on it?
It would be well worth spending some of our funding to hire an AWS expert to
ensure everything is set up nicely and minimize the risk of something like this
happening in future.  I have a good guy in mind (used to work for Amazon so very
familiar with AWS).
Thoughts?
Ian.  





On Thu, Apr 6, 2017 2:49 AM, Florent Daigniere nextg...@freenetproject.org 
wrote:
I have made the DNS changes; these aren't the problem...




The problem is that the content we serve from the new infrastructure

isn't ready... almost a year in the making... so we have never finished

the infrastructure switch.




Whatever is pushed to 

https://github.com/freenet/website/tree/2016-redesign

will go live; both of you have access; if you care, fix it :)




I won't have time to do anything more for the foreseeable future.




Florent




On Thu, 2017-04-06 at 00:10 +, Ian wrote:

>  Crap, what are we waiting on to get it back up?

> 

> 

> On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de

> wrote:

> > Hi,

> > 

> > The certificate expired and we use HTTP Strict Transport Security

> > (HSTS). That means: Our old site is down until the DNS can be

> > switched

> > over to the AWS site.

> > 

> > Let’s treat this as a test of what would happen if an attacker were

> > to

> > take down our clearnet infrastructure.

> > 

> > Best wishes,

> > Arne

> > --

> > Unpolitisch sein

> > heißt politisch sein

> > ohne es zu merken

> > 

> >

Re: HSTS and expired cert: our site is down for now

2017-04-06 Thread Florent Daigniere 
I have made the DNS changes; these aren't the problem...

The problem is that the content we serve from the new infrastructure
isn't ready... almost a year in the making... so we have never finished
the infrastructure switch.

Whatever is pushed to 
https://github.com/freenet/website/tree/2016-redesign
will go live; both of you have access; if you care, fix it :)

I won't have time to do anything more for the foreseeable future.

Florent

On Thu, 2017-04-06 at 00:10 +, Ian wrote:
>  Crap, what are we waiting on to get it back up?
> 
> 
> On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de
> wrote:
> > Hi,
> > 
> > The certificate expired and we use HTTP Strict Transport Security
> > (HSTS). That means: Our old site is down until the DNS can be
> > switched
> > over to the AWS site.
> > 
> > Let’s treat this as a test of what would happen if an attacker were
> > to
> > take down our clearnet infrastructure.
> > 
> > Best wishes,
> > Arne
> > --
> > Unpolitisch sein
> > heißt politisch sein
> > ohne es zu merken
> > 
> > 

signature.asc
Description: This is a digitally signed message part

Re: HSTS and expired cert: our site is down for now

2017-04-05 Thread Ian 
Crap, what are we waiting on to get it back up?  





On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de  wrote:
Hi,




The certificate expired and we use HTTP Strict Transport Security

(HSTS). That means: Our old site is down until the DNS can be switched

over to the AWS site.




Let’s treat this as a test of what would happen if an attacker were to

take down our clearnet infrastructure.




Best wishes,

Arne

--

Unpolitisch sein

heißt politisch sein

ohne es zu merken