Another step towards crowdfunding

Micah Lee micah at micahflee.com
Mon Dec 16 20:32:45 CET 2013


On 12/14/2013 09:32 AM, Sam Tuke wrote:
> This has been on the todo list for a while (the blog is all static hand
> written HTML at the moment). I made separate pages as requested just now and
> they're online. Should make linking easier (just click on the article headings
> on the blog front page).

Awesome.

> No we don't have a sponsor offering that at the moment (I'd be delighted if we
> did). Which archived mail gave you that impression?

Yeah, I was talking about:
http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048332.html

> I guess you're referring to the blog (gnupg.org is HTTPS accessible, but
> blog.gnupg.org is not)? The new site will host the blog on a single (not sub)
> domain, so all pages will be reachable by an encrypted connection. Does that
> answer your question?

Ahh, it's good to know that gnupg.org is available for https. But I
would guess a very small percentage of your visitors use it, or even
know that it's available.

If you want to fix this, you could make all incoming http traffic
respond with a 301 redirect to https.

Looking at my browser, for some reason gnupg.org has set two cookies,
one of which is a uuid that anyone monitoring me can use to track me,
even if I switch internet connections or start using a VPN. Because of
this (and because it's good practice and doesn't hurt) you could also
set the HSTS header, which prevents browser from accidentally (or being
tricked into) loading the website over http:
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Also, looks like the CA is CAcert--an awesome CA, but not trusted by
browsers by default. I'd suggest getting a cert from StartSSL
[https://startssl.com/], since they're they only CA that gives certs for
free. And a wildcard cert (for *.gnupg.org) ends up costing like $60 USD.

Also, it would be great if the use of https could be done better. The
Qualys SSL report gives https://gnupg.org/ an F (because of the CAcert
issue), but even if you used a browser-trusted CA it still wouldn't be
the best: https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org

I notice you're using Boa Webserver, and their docs don't seem to show
how to do things like set custom http headers or mess with the
ciphersuites in use. But for other servers (apache, nginx, lighttpd) you
can find security-hardened config examples here:
https://github.com/ioerror/duraconf

-- 
Micah Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131216/e929a54c/attachment.sig>


More information about the Gnupg-users mailing list