[arch-general] Sites hosted on gudrun are now https-only

[Kevin Chadwick]

On Sun, 21 Oct 2012 22:32:07 +0200
Thomas Bächler <thomas at archlinux.org> wrote:

> Out of curiosity, what is the motivation for this change?

I wonder too, if you have some server side PHP or cgi, then enforcement
is far better via a persistent redirect, MITM is not prevented in either
case.

From experience of a friend of mine having boot trouble with linux
fsck, (a problem OpenBSD does not have) with a dead laptop and bios
battery. Any machine with a wrong clock (many more than you think,
despite ntp) will be denied service with little gain in security
over a PHP enforced redirect (except making the attacker proxy no ssl or
a similar rather than same domain, you could argue a smaller window
after first connect but considering the constant exploits for browsers
and a MITM, does it buy you anything except deny some users access when
pacman uses gpg).

SSL RFCs knew this and state that except for higher level protocols
standard SSL does not require a correct clock. I won't deny any
customers access to my sites for the sake of HSTS, in any case. If the
data about lost customers is discovered by the likes of Paypal, I will
expect it to be promptly switched off or modified for compliance like
the terrible DNSSEC saga.