I wonder why www.slackware.com has no ssl certificate. Even more, it seems to make a redirect from https to http... that's kinda lame. Nowadays everything shifts towards encryption, and I think it's a good thing. What do you think?

Regards, Uli

why should you need to read via https the pages that are available on www.slackware.com?
what information is there that needs to be encrypted?

6 members found this post helpful.

There is a TLS certificate (otherwise how would you get a redirect?).

There is nothing non-public on the web site. There are no user creds supplied.
"Security" people will always disagree because "someone might be tracking me". Given that there *is* nothing non-public there, someone could read all of it, see that you made a DNS request and read everything you could possibly have read and make assumptions.

We could make it https but really it'd be the lowest priority because there's nothing to be gained.

5 members found this post helpful.

Encryption should be used wherever it is possible. Somewhere in the near future, chrome will warn about unencrypted connections. I don't think there is contents on www.slackware.com that has to be encrypted, but I think it's good to be prepared for the future.

if you are refering to this announcement, it's just about "pages that collect passwords or credit cards" (there aren't any).

It says "as part of a long-term plan to mark all HTTP sites as non-secure".

well, that's not "in the near future", they say it's a long term plan.
BTW it's overkill and hopefully they will be smart enough to won't pursue it.

1 members found this post helpful.

HTTPS costs more money to maintain and set up, doesn't it?

It's free with Let's Encrypt

1 members found this post helpful.

...and it's free with CloudFlare

.

1 members found this post helpful.

It's already got HTTPS for free on Akamai - that's not the issue. The issue is with the web server because it does not run HTTPS and Akamai security does not permit you to serve HTTPS to the client and HTTP to the "origin" (the web server behind it) as that would be considered some what deceitful and undermines the whole point of the excercise. The web server needs some sweet love, that's all.

1 members found this post helpful.

I see.

I disagree.

Encrypting a website automatically means that you cannot benefit from network caching or filtering services. This means that your office with 50 employees won't be able to benefit from caching proxies or from malware or advertisement removers. The people who really needs those is already forcing that encryption open using very dirty tricks in their corporate networks.

Encryption is a great thing, but when you get a drawback you'd better do it in exchange for something. Encrypting the connection to the Slackware site means increasing the workload/cost/complexity of the website deployment and makes it less accesible to users.

Sensitive content of the site is already certified via OpenPGP. HTTPS is redundant for the verification of the downloads.

That said, Pat is gonna do what he always does: whatever he wants :-)

P.S: My friends regard me as one of those "security people" drmozes was talking about earlier.

3 members found this post helpful.

"Because you can" is seldom in and of itself a sufficient reason for doing anything.

Pointless security is not security, it's security theatre--it's just as bad as not securing things that need to be secured, though for different reasons.

4 members found this post helpful.

The Slackware store uses https currently.

The ISO's on the various mirrors are signed and can be verified.

The knowledge that the www.slackware.com I visited today is the same www.slackware.com I visited yesterday would not affect me in any way that I can think of, and the assurance that no one can track that I went to slackware.com means nothing, since I broadcast publicly my enthusiasm for Slackware. Current bandwagons aside, I don't see why the main site needs https.

2 members found this post helpful.