SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wonder why www.slackware.com has no ssl certificate. Even more, it seems to make a redirect from https to http... that's kinda lame. Nowadays everything shifts towards encryption, and I think it's a good thing. What do you think?
why should you need to read via https the pages that are available on www.slackware.com?
what information is there that needs to be encrypted?
There is a TLS certificate (otherwise how would you get a redirect?).
There is nothing non-public on the web site. There are no user creds supplied.
"Security" people will always disagree because "someone might be tracking me". Given that there *is* nothing non-public there, someone could read all of it, see that you made a DNS request and read everything you could possibly have read and make assumptions.
We could make it https but really it'd be the lowest priority because there's nothing to be gained.
Encryption should be used wherever it is possible. Somewhere in the near future, chrome will warn about unencrypted connections. I don't think there is contents on www.slackware.com that has to be encrypted, but I think it's good to be prepared for the future.
It's already got HTTPS for free on Akamai - that's not the issue. The issue is with the web server because it does not run HTTPS and Akamai security does not permit you to serve HTTPS to the client and HTTP to the "origin" (the web server behind it) as that would be considered some what deceitful and undermines the whole point of the excercise. The web server needs some sweet love, that's all.
It's already got HTTPS for free on Akamai - that's not the issue. The issue is with the web server because it does not run HTTPS and Akamai security does not permit you to serve HTTPS to the client and HTTP to the "origin" (the web server behind it) as that would be considered some what deceitful and undermines the whole point of the excercise. The web server needs some sweet love, that's all.
Encryption should be used wherever it is possible.
I disagree.
Encrypting a website automatically means that you cannot benefit from network caching or filtering services. This means that your office with 50 employees won't be able to benefit from caching proxies or from malware or advertisement removers. The people who really needs those is already forcing that encryption open using very dirty tricks in their corporate networks.
Encryption is a great thing, but when you get a drawback you'd better do it in exchange for something. Encrypting the connection to the Slackware site means increasing the workload/cost/complexity of the website deployment and makes it less accesible to users.
Sensitive content of the site is already certified via OpenPGP. HTTPS is redundant for the verification of the downloads.
That said, Pat is gonna do what he always does: whatever he wants :-)
P.S: My friends regard me as one of those "security people" drmozes was talking about earlier.
Last edited by BlackRider; 09-27-2016 at 08:17 AM.
Reason: Typo.
"Because you can" is seldom in and of itself a sufficient reason for doing anything.
Pointless security is not security, it's security theatre--it's just as bad as not securing things that need to be secured, though for different reasons.
The ISO's on the various mirrors are signed and can be verified.
The knowledge that the www.slackware.com I visited today is the same www.slackware.com I visited yesterday would not affect me in any way that I can think of, and the assurance that no one can track that I went to slackware.com means nothing, since I broadcast publicly my enthusiasm for Slackware. Current bandwagons aside, I don't see why the main site needs https.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.