X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; q=dns; s=default; b=Vyp5oOqTZq3Y9R/16b/pXdWWdZRWs
	pmypz87EgCHxQAYjvtHxk8EC0TNNvZqKRWSfKTUeoMK08s3UifLTXo/rJXV3B76y
	9sxaMEIzu3QHBUGvkB59ATD5+OFuTHdvbQXv/ufYcmmkkhSZjBcEKhfbNEfAvdWY
	SDPYv8Sb06xh7Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; s=default; bh=JPkV/K+XiUrTFOw9Kh9RPqJK+5Q=; b=Fza
	DtiNJ7mHh+w6DjmKRNkSOigYI7fOUhZN3qiMPmeVadzcTsxM3LNWV1cptfsTlGq2
	bnoQTfHRqjiBUM5GTWkgIxKm6GC69c5E2AtDj3GBgETlElzTDPd+xtbvY6ha5FJH
	eY5ezH42DCn6+Az61WuX3oukKCEDx77oNIl9moY4=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=4.9 required=5.0 tests=AWL,BAYES_50,CYGWIN_OWNER_BODY,KAM_INFOUSMEBIZ,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2 spammy=scores, H*F:D*me, rank, H*c:Windows-1252
X-HELO: na01-bl2-obe.outbound.protection.outlook.com
From: Brian Clifton <brian AT clifton DOT me>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: Re: Proposed patch for web site: update most links to HTTPS
Date: Mon, 25 Apr 2016 20:46:26 +0000
Message-ID: <BL2PR03MB2288742F5DC8D8FD5C4D07ADF620@BL2PR03MB228.namprd03.prod.outlook.com>
References: <20160425124332 DOT GO2345 AT dinwoodie DOT org> <0D835E9B9CD07F40A48423F80D3B5A702EAF3FBD AT USA7109MB022 DOT na DOT xerox DOT net>,<44C9F285-6E2A-4111-BBDE-957A6E4B4581 AT solidrocksystems DOT com>
In-Reply-To: <44C9F285-6E2A-4111-BBDE-957A6E4B4581@solidrocksystems.com>
authentication-results: cygwin.com; dkim=none (message not signed) header.d=none;cygwin.com; dmarc=none action=none header.from=clifton.me;
x-ms-office365-filtering-correlation-id: a025e2b5-bd15-412b-3e48-08d36d4aabd9
x-microsoft-exchange-diagnostics: 1;BL2PR03MB225;5:bnbMNb+5A8uq/98PPFVebrZEVofbYd6MsVBqTrqunTancn4QmuP+TNsbq/2f2ga5w27nMpO5vyRpjeplMLryYeNvqpQtYlCb3R7zwAeg9SQjhqeB6KSXYPI/gtStE9YPaLOl3B2zPVIVl59+i98DJw==;24:dqc6CA6Qvoz9WwudJsPp5QDt1duztFhlbuBm4B8u6lXOYn2J8q7hUJKSb2/vM+E3zTSOZllqYwYEbG6maFiOHyIUkCQ3OGVFMMZ+cXepoKM=;7:dorTTFenMMvT/S1D5oarbHCjFLmh8sWA7lip6i0NW+c+zqmteQTSl5Hl5XR/NeCk8WvVjmG1sqfOy3e2eLGvZDw2C1Mt0Ttqxps6MjyxPuXnm52StTw2gtWBHPdkNSfzm0zWvEzTgXnXNNSAZzsWHIMKe99RbIu1lwJ//ofCFdxoWFp4Y5bFkngMVnhNJveo
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB225;
x-microsoft-antispam-prvs: <BL2PR03MB22524C59B023377A75FED67DF620 AT BL2PR03MB225 DOT namprd03 DOT prod DOT outlook DOT com>
x-exchange-antispam-report-test: UriScan:(220618547472400);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(9101521072)(6040130)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041072)(6043046);SRVR:BL2PR03MB225;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB225;
x-forefront-prvs: 0923977CCA
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(24454002)(13464003)(377454003)(92566002)(15975445007)(2950100001)(2900100001)(10400500002)(50986999)(76176999)(54356999)(87936001)(33656002)(66066001)(19580395003)(86362001)(19580405001)(2351001)(450100001)(15650500001)(5002640100001)(5003600100002)(99286002)(3280700002)(74482002)(2906002)(76576001)(5008740100001)(3660700001)(122556002)(1096002)(81166005)(6116002)(110136002)(102836003)(1730700002)(189998001)(5004730100002)(2501003)(5640700001)(9686002)(586003)(74316001)(1220700001)(11100500001)(3846002)(107886002)(437434002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR03MB225;H:BL2PR03MB228.namprd03.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
X-OriginatorOrg: clifton.me
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2016 20:46:26.5024 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8bdfec6b-c71e-4ab9-8b6b-9de7cf58a5f5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB225
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id u3PKkp5X020343

>From: cygwin-owner AT cygwin DOT com <cygwin-owner AT cygwin DOT com> on behalf of Vince Rice <vrice AT solidrocksystems DOT com>
>Sent: Monday, April 25, 2016 12:58 PM
>To: cygwin AT cygwin DOT com
>Subject: Re: Proposed patch for web site: update most links to HTTPS
>
>> On Apr 25, 2016, at 2:33 PM, Nellis, Kenneth <Kenneth DOT Nellis AT xerox DOT com> wrote:
>>
>> -----Original Message-----
>> From: Adam Dinwoodie
>>> ...
>>> But I agree with Brian: the Cygwin website
>>> should use https everywhere unless there's some good, specific reason
>>> why it's a bad idea...
>>
>> 1. Did Brian say that? I couldn't find it in the thread.
>> 2. I would be interested to hear the rationale for such a statement.
>> Cygwin is open source. What's the point of encrypting?
>
>I’m not sure what being open source has to do with it.
>It should be encrypted for privacy. Frankly, from what we’ve seen in the last couple of years, plain http: should disappear. It should all be https. (And Adam is exactly correct on the performance; it is a non-issue today and has been for years.)

Hi folks,

Sorry for the top reply in my previous posts, I'm new to email lists :)

Forcing HTTPS was the goal I had in mind, for exactly the reason Vince mentions (for security and privacy). Using relative URLs is OK if a rewrite rule is put in place, forcing HTTPS (which is the case). But many of the links updated are external and do not do that.

There are many articles about why you should always use HTTPS.  The article I referenced with the patch is:
https://textslashplain.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/

Another from Google can be found here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https?hl=en

Besides security, another important consideration is that search engines prefer HTTPS links (and rank them higher, even if only by a small amount).

In addition to this patch, Apache could be configured better (Cygwin.com scores a B):
https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

Thanks
Brian
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple