Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Fix Version/s: None
    • Component/s: Website
    • Labels:
      None
    • Project:
      Incubator

      Description

      At the moment Tamaya's project page is available via http and https, please configure a redirect from http to https to enforce TLS/SSL.

      The URI is
      http://tamaya.incubator.apache.org/ /
      https://tamaya.incubator.apache.org/

      Thanks

        Activity

        Hide
        gmcdonald Gavin added a comment -
        2 questions.

        1. Why? I do not see any login requirements or anything that requires input of sensitive information, no user input at all, anywhere I can see, so why is https needed to
        be a requirement of this site?

        2. You can likley configure this yourself in the incubator .htaccess file.
        Show
        gmcdonald Gavin added a comment - 2 questions. 1. Why? I do not see any login requirements or anything that requires input of sensitive information, no user input at all, anywhere I can see, so why is https needed to be a requirement of this site? 2. You can likley configure this yourself in the incubator .htaccess file.
        Hide
        hugo.hirsch Philipp Ottlinger added a comment - Reporter
        Thanks for your reply - I'd prefer to use SSL as default in order to spread the use of encryption and thought it's the wanted default at ASF.

        I wasn't aware of the .htaccess-possibility. Do I need to check it in to our site's repo in
        https://github.com/apache/incubator-tamaya-site/tree/asf-site ?
        Since we are using a generator this could be more error-prone than a more centralized configuration by INFRA ... wdyt?
        Show
        hugo.hirsch Philipp Ottlinger added a comment - Reporter Thanks for your reply - I'd prefer to use SSL as default in order to spread the use of encryption and thought it's the wanted default at ASF. I wasn't aware of the .htaccess-possibility. Do I need to check it in to our site's repo in https://github.com/apache/incubator-tamaya-site/tree/asf-site ? Since we are using a generator this could be more error-prone than a more centralized configuration by INFRA ... wdyt?
        Hide
        hugo.hirsch Philipp Ottlinger added a comment - Reporter
        Apart from that SSL
        * gives higher google rankings
        * prevents man in the middle attacks, provides transport layer security
        * is much faster, see http://www.httpvshttps.com/

        Non-SSL connections are marked as insecure in many browsers as well.
        Show
        hugo.hirsch Philipp Ottlinger added a comment - Reporter Apart from that SSL * gives higher google rankings * prevents man in the middle attacks, provides transport layer security * is much faster, see http://www.httpvshttps.com/ Non-SSL connections are marked as insecure in many browsers as well.
        Hide
        gstein Greg Stein added a comment -
        * "Apache Tamaya" will always list the Apache project as its first hit. There is simply no way that another site is going to preempt the project.
        * there is nothing sensitive in our websites, as they are static, public content. Nobody will be attempting a MITM hack. It just isn't worthwhile.
        * that is a garbage site. It is comparing HTTP/1 to HTTP/2 (aka SPDY). It is *not* HTTP vs HTTPS.

        Users can visit our sites using whatever protocol they like, and is easiest for them. And the tools they write -- accessing HTTP resources can be easier for client tools.

        We will not be installing ASF-wide redirects to HTTPS.

        Thanks,
        Greg Stein
        Infrastucture Administrator
        Show
        gstein Greg Stein added a comment - * "Apache Tamaya" will always list the Apache project as its first hit. There is simply no way that another site is going to preempt the project. * there is nothing sensitive in our websites, as they are static, public content. Nobody will be attempting a MITM hack. It just isn't worthwhile. * that is a garbage site. It is comparing HTTP/1 to HTTP/2 (aka SPDY). It is *not* HTTP vs HTTPS. Users can visit our sites using whatever protocol they like, and is easiest for them. And the tools they write -- accessing HTTP resources can be easier for client tools. We will not be installing ASF-wide redirects to HTTPS. Thanks, Greg Stein Infrastucture Administrator

          People

          • Assignee:
            gmcdonald Gavin
            Reporter:
            hugo.hirsch Philipp Ottlinger
            Request participants:
            None
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Review Date: