DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; q=dns; s=default; b=Vyp5oOqTZq3Y9R/16b/pXdWWdZRWs
	pmypz87EgCHxQAYjvtHxk8EC0TNNvZqKRWSfKTUeoMK08s3UifLTXo/rJXV3B76y
	9sxaMEIzu3QHBUGvkB59ATD5+OFuTHdvbQXv/ufYcmmkkhSZjBcEKhfbNEfAvdWY
	SDPYv8Sb06xh7Y=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
From: Brian Clifton <brian@clifton.me>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Re: Proposed patch for web site: update most links to HTTPS
Date: Mon, 25 Apr 2016 20:46:26 +0000
Message-ID: <BL2PR03MB2288742F5DC8D8FD5C4D07ADF620@BL2PR03MB228.namprd03.prod.outlook.com>
References: <20160425124332.GO2345@dinwoodie.org> <0D835E9B9CD07F40A48423F80D3B5A702EAF3FBD@USA7109MB022.na.xerox.net>,<44C9F285-6E2A-4111-BBDE-957A6E4B4581@solidrocksystems.com>
In-Reply-To: <44C9F285-6E2A-4111-BBDE-957A6E4B4581@solidrocksystems.com>
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2016 20:46:26.5024 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8bdfec6b-c71e-4ab9-8b6b-9de7cf58a5f5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB225
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id u3PKkp5X020343

>From: cygwin-owner@cygwin.com <cygwin-owner@cygwin.com> on behalf of Vince Rice <vrice@solidrocksystems.com>
>Sent: Monday, April 25, 2016 12:58 PM
>To: cygwin@cygwin.com
>Subject: Re: Proposed patch for web site: update most links to HTTPS
>
>> On Apr 25, 2016, at 2:33 PM, Nellis, Kenneth <Kenneth.Nellis@xerox.com> wrote:
>>
>> -----Original Message-----
>> From: Adam Dinwoodie
>>> ...
>>> But I agree with Brian: the Cygwin website
>>> should use https everywhere unless there's some good, specific reason
>>> why it's a bad idea...
>>
>> 1. Did Brian say that? I couldn't find it in the thread.
>> 2. I would be interested to hear the rationale for such a statement.
>> Cygwin is open source. What's the point of encrypting?
>
>I’m not sure what being open source has to do with it.
>It should be encrypted for privacy. Frankly, from what we’ve seen in the last couple of years, plain http: should disappear. It should all be https. (And Adam is exactly correct on the performance; it is a non-issue today and has been for years.)

Hi folks,

Sorry for the top reply in my previous posts, I'm new to email lists :)

Forcing HTTPS was the goal I had in mind, for exactly the reason Vince mentions (for security and privacy). Using relative URLs is OK if a rewrite rule is put in place, forcing HTTPS (which is the case). But many of the links updated are external and do not do that.

There are many articles about why you should always use HTTPS.  The article I referenced with the patch is:
https://textslashplain.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/

Another from Google can be found here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https?hl=en

Besides security, another important consideration is that search engines prefer HTTPS links (and rank them higher, even if only by a small amount).

In addition to this patch, Apache could be configured better (Cygwin.com scores a B):
https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

Thanks
Brian
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple