Another step towards crowdfunding

Werner Koch wk at gnupg.org
Tue Dec 17 11:59:13 CET 2013


On Mon, 16 Dec 2013 20:32, micah at micahflee.com said:

> Ahh, it's good to know that gnupg.org is available for https. But I
> would guess a very small percentage of your visitors use it, or even
> know that it's available.

Well, bowsers could first try to use https.  Would it help them to provide
a SRV record for this?

> If you want to fix this, you could make all incoming http traffic
> respond with a 301 redirect to https.

I am not sure whether this helps.  If we eventually offer http download
we could use https: fro that instead.  There is also a plan for provided
a hidden tor service.

> this (and because it's good practice and doesn't hurt) you could also
> set the HSTS header, which prevents browser from accidentally (or being
> tricked into) loading the website over http:

Should be considered, I need to hack up Boa anyway.

> Also, looks like the CA is CAcert--an awesome CA, but not trusted by
> browsers by default. I'd suggest getting a cert from StartSSL
> [https://startssl.com/], since they're they only CA that gives certs for
> free. And a wildcard cert (for *.gnupg.org) ends up costing like $60 USD.

I hesitate to pay the highwaymen.

> Also, it would be great if the use of https could be done better. The
> Qualys SSL report gives https://gnupg.org/ an F (because of the CAcert
> issue), but even if you used a browser-trusted CA it still wouldn't be
> the best: https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org

Yes, there is a the problem with the CAcert intermediate certificate -
it is on my todo list to update this.

> I notice you're using Boa Webserver, and their docs don't seem to show
> how to do things like set custom http headers or mess with the

Adding headers is easy, as said.  Boa does not do https.  gnupg.org uses
the pound proxy to implement https and redirection.

I changed the cipher suite for gnupg.org to a quite restricted one.
More to come.

Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list