Force https for pidgin.im website?
Jurre van Bergen
drwhax at 2600nl.net
Fri Apr 5 07:16:22 EDT 2013
May I suggest to add https pinning to chromium and HSTS headers so SSL
is used by default and harder to MITM?
All the best,
Jurre
On 04/01/2013 09:50 AM, Mark Doliner wrote:
> How do people feel about redirecting from http to https for all URLs on
> pidgin.im? We're currently doing this for developer.pidgin.im, mostly to
> prevent session hijacking, I believe.
>
> My reasons for wanting to do this are:
> - Secure interactions with Mailman (subscribing, unsubscribing, admin login)
> - Reduce the chances of a MITM sending altered content to a user. We
> should endeavor to provide users links to https downloads of Pidgin to make
> it harder for a MITM to distribute a trojan. There are of course still
> many possible MITM avenues here, but closing this one is a small step
> forward.
>
> Downsides:
> - We'll have to keep buying SSL certs. But we've been doing this anyway.
> I think this will make it a more visible problem. We'll probably want to
> be more vigilant about monitoring for expired certs. I added a certificate
> reminder here[1], but that's not a great solution because anyone can cancel
> it and I'm not sure I want to rely on some random free service that I
> stumbled onto.
> - Little bit slower to load, especially for users with high latency to our
> server, (TLS negotiation requires more round trips).
>
> [1] http://www.sslshopper.com/ssl-checker.html#hostname=pidgin.im
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
--
Give a man a fish and you feed him for a day; teach a man to fish and you feed him for life.
http://jurrevanbergen.nl/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20130405/1ed6f299/attachment-0002.html>
More information about the Devel
mailing list