Proposed patch for web site: update most links to HTTPS

Brian Clifton brian@clifton.me
Mon Apr 25 23:18:00 GMT 2016


>From: cygwin-owner@cygwin.com <cygwin-owner@cygwin.com> on behalf of Vince Rice <vrice@solidrocksystems.com>
>Sent: Monday, April 25, 2016 12:58 PM
>To: cygwin@cygwin.com
>Subject: Re: Proposed patch for web site: update most links to HTTPS
>
>> On Apr 25, 2016, at 2:33 PM, Nellis, Kenneth <Kenneth.Nellis@xerox.com> wrote:
>>
>> -----Original Message-----
>> From: Adam Dinwoodie
>>> ...
>>> But I agree with Brian: the Cygwin website
>>> should use https everywhere unless there's some good, specific reason
>>> why it's a bad idea...
>>
>> 1. Did Brian say that? I couldn't find it in the thread.
>> 2. I would be interested to hear the rationale for such a statement.
>> Cygwin is open source. What's the point of encrypting?
>
>I’m not sure what being open source has to do with it.
>It should be encrypted for privacy. Frankly, from what we’ve seen in the last couple of years, plain http: should disappear. It should all be https. (And Adam is exactly correct on the performance; it is a non-issue today and has been for years.)

Hi folks,

Sorry for the top reply in my previous posts, I'm new to email lists :)

Forcing HTTPS was the goal I had in mind, for exactly the reason Vince mentions (for security and privacy). Using relative URLs is OK if a rewrite rule is put in place, forcing HTTPS (which is the case). But many of the links updated are external and do not do that.

There are many articles about why you should always use HTTPS.  The article I referenced with the patch is:
https://textslashplain.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/

Another from Google can be found here:
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https?hl=en

Besides security, another important consideration is that search engines prefer HTTPS links (and rank them higher, even if only by a small amount).

In addition to this patch, Apache could be configured better (Cygwin.com scores a B):
https://www.ssllabs.com/ssltest/analyze.html?d=cygwin.com

Thanks
Brian
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list