Force https for pidgin.im website?

Mark Doliner mark at kingant.net
Mon Apr 1 03:50:51 EDT 2013


How do people feel about redirecting from http to https for all URLs on
pidgin.im?  We're currently doing this for developer.pidgin.im, mostly to
prevent session hijacking, I believe.

My reasons for wanting to do this are:
- Secure interactions with Mailman (subscribing, unsubscribing, admin login)
- Reduce the chances of a MITM sending altered content to a user.  We
should endeavor to provide users links to https downloads of Pidgin to make
it harder for a MITM to distribute a trojan.  There are of course still
many possible MITM avenues here, but closing this one is a small step
forward.

Downsides:
- We'll have to keep buying SSL certs.  But we've been doing this anyway.
 I think this will make it a more visible problem.  We'll probably want to
be more vigilant about monitoring for expired certs.  I added a certificate
reminder here[1], but that's not a great solution because anyone can cancel
it and I'm not sure I want to rely on some random free service that I
stumbled onto.
- Little bit slower to load, especially for users with high latency to our
server, (TLS negotiation requires  more round trips).

[1] http://www.sslshopper.com/ssl-checker.html#hostname=pidgin.im
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20130401/a36af152/attachment-0002.html>


More information about the Devel mailing list