Discussion:
FTP->HTTPS; maybe HTTP->HTTPS for Gnulib?
Paul Eggert
2017-09-12 23:43:10 UTC
Permalink
Since the GNU project is decommissioning FTP soon, I installed the attached.

What do people think about changing the Gnulib documention and code to use HTTPS
instead of HTTP? That should help repel man-in-the-middle attacks.
Jim Meyering
2017-09-12 23:55:49 UTC
Permalink
I like the idea.
Post by Paul Eggert
Since the GNU project is decommissioning FTP soon, I installed the attached.
What do people think about changing the Gnulib documention and code to use
HTTPS instead of HTTP? That should help repel man-in-the-middle attacks.
Bruno Haible
2017-09-13 01:18:58 UTC
Permalink
Post by Paul Eggert
What do people think about changing the Gnulib documention and code to use HTTPS
instead of HTTP?
Absolutely in favour. Man-in-the-middle attacks are *so* easy to perform when
no certificates are involved.

This patch does it for the doc.


2017-09-12 Bruno Haible <***@clisp.org>

doc: Prefer https URLs where possible.
* doc/**/*.texi: Use https URLs instead of http URLs where possible.
* doc/ld-output-def.texi: Remove unavailable URL.

diff --git a/doc/glibc-headers/alloca.texi b/doc/glibc-headers/alloca.texi
index 6dfd2af..ec6fff0 100644
--- a/doc/glibc-headers/alloca.texi
+++ b/doc/glibc-headers/alloca.texi
@@ -10,7 +10,7 @@ Documentation:
@ref{Variable Size Automatic,,Automatic Storage with Variable Size,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Variable-Size-Automatic.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Variable-Size-Automatic.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/alloca.3.html,,man alloca}.
diff --git a/doc/glibc-headers/argp.texi b/doc/glibc-headers/argp.texi
index 178b357..9a46d54 100644
--- a/doc/glibc-headers/argp.texi
+++ b/doc/glibc-headers/argp.texi
@@ -8,7 +8,7 @@ Documentation:
@ref{Argp,,Parsing Program Options with Argp,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Argp.html}.
+@url{https://www.gnu.org/software/libc/manual/html_node/Argp.html}.
@end ifnotinfo
@end itemize

diff --git a/doc/glibc-headers/argz.texi b/doc/glibc-headers/argz.texi
index 9fbbd3a..dbcb0da 100644
--- a/doc/glibc-headers/argz.texi
+++ b/doc/glibc-headers/argz.texi
@@ -8,7 +8,7 @@ Documentation:
@ref{Argz Functions,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Argz-Functions.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Argz-Functions.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/argz.3.html,,man argz}.
diff --git a/doc/glibc-headers/crypt.texi b/doc/glibc-headers/crypt.texi
index 13eda70..52729a3 100644
--- a/doc/glibc-headers/crypt.texi
+++ b/doc/glibc-headers/crypt.texi
@@ -14,8 +14,8 @@ Documentation:
@ref{DES Encryption,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/crypt.html},
-@url{http://www.gnu.org/software/libc/manual/html_node/DES-Encryption.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/crypt.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/DES-Encryption.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/crypt.3.html,,man crypt},
diff --git a/doc/glibc-headers/envz.texi b/doc/glibc-headers/envz.texi
index fb1ae7b..71d95ce 100644
--- a/doc/glibc-headers/envz.texi
+++ b/doc/glibc-headers/envz.texi
@@ -8,7 +8,7 @@ Documentation:
@ref{Envz Functions,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Envz-Functions.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Envz-Functions.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/envz.3.html,,man envz}.
diff --git a/doc/glibc-headers/err.texi b/doc/glibc-headers/err.texi
index dd01389..1319471 100644
--- a/doc/glibc-headers/err.texi
+++ b/doc/glibc-headers/err.texi
@@ -12,7 +12,7 @@ Documentation:
@ref{Error Messages,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Error-Messages.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Error-Messages.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/err.3.html,,man err}.
diff --git a/doc/glibc-headers/error.texi b/doc/glibc-headers/error.texi
index 1a012a1..5201e37 100644
--- a/doc/glibc-headers/error.texi
+++ b/doc/glibc-headers/error.texi
@@ -12,7 +12,7 @@ Documentation:
@ref{Error Messages,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Error-Messages.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Error-Messages.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/error.3.html,,man error}.
diff --git a/doc/glibc-headers/execinfo.texi b/doc/glibc-headers/execinfo.texi
index cecf0b9..fb9c52a 100644
--- a/doc/glibc-headers/execinfo.texi
+++ b/doc/glibc-headers/execinfo.texi
@@ -11,7 +11,7 @@ Documentation:
@ref{Backtraces,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Backtraces.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Backtraces.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/backtrace.3.html,,man backtrace}.
diff --git a/doc/glibc-headers/fstab.texi b/doc/glibc-headers/fstab.texi
index 9f05f02..c3cb6be 100644
--- a/doc/glibc-headers/fstab.texi
+++ b/doc/glibc-headers/fstab.texi
@@ -13,7 +13,7 @@ Documentation:
@ref{fstab,,The `fstab' file,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/fstab.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/fstab.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/setfsent.3.html,,man setfsent}.
diff --git a/doc/glibc-headers/getopt.texi b/doc/glibc-headers/getopt.texi
index e3b485f..640f271 100644
--- a/doc/glibc-headers/getopt.texi
+++ b/doc/glibc-headers/getopt.texi
@@ -12,7 +12,7 @@ Documentation:
@ref{Getopt,,Parsing program options using `getopt',libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Getopt.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Getopt.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/getopt.3.html,,man getopt}.
diff --git a/doc/glibc-headers/libintl.texi b/doc/glibc-headers/libintl.texi
index f7eb721..403d5be 100644
--- a/doc/glibc-headers/libintl.texi
+++ b/doc/glibc-headers/libintl.texi
@@ -14,7 +14,7 @@ Documentation:
@ref{Message catalogs with gettext,,The `gettext' family of functions,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Message-catalogs-with-gettext.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Message-catalogs-with-gettext.html},
@end ifnotinfo
@item
@ifinfo
diff --git a/doc/glibc-headers/mcheck.texi b/doc/glibc-headers/mcheck.texi
index 6bb4b50..3e22f0c 100644
--- a/doc/glibc-headers/mcheck.texi
+++ b/doc/glibc-headers/mcheck.texi
@@ -12,7 +12,7 @@ Documentation:
@ref{Heap Consistency Checking,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html}.
+@url{https://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html}.
@end ifnotinfo
@end itemize

diff --git a/doc/glibc-headers/mntent.texi b/doc/glibc-headers/mntent.texi
index dd2c858..9806fd5 100644
--- a/doc/glibc-headers/mntent.texi
+++ b/doc/glibc-headers/mntent.texi
@@ -13,7 +13,7 @@ Documentation:
@ref{mtab,,The `mtab' file,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/mtab.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/mtab.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/setmntent.3.html,,man setmntent}.
diff --git a/doc/glibc-headers/obstack.texi b/doc/glibc-headers/obstack.texi
index d5103fd..b61eb66 100644
--- a/doc/glibc-headers/obstack.texi
+++ b/doc/glibc-headers/obstack.texi
@@ -8,7 +8,7 @@ Documentation:
@ref{Obstacks,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Obstacks.html}.
+@url{https://www.gnu.org/software/libc/manual/html_node/Obstacks.html}.
@end ifnotinfo
@end itemize

diff --git a/doc/glibc-headers/printf.texi b/doc/glibc-headers/printf.texi
index 4817133..33a4118 100644
--- a/doc/glibc-headers/printf.texi
+++ b/doc/glibc-headers/printf.texi
@@ -14,7 +14,7 @@ Documentation:
@ref{Parsing a Template String,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Parsing-a-Template-String.html}.
+@url{https://www.gnu.org/software/libc/manual/html_node/Parsing-a-Template-String.html}.
@end ifnotinfo
@end itemize

diff --git a/doc/glibc-headers/pty.texi b/doc/glibc-headers/pty.texi
index c5acd68..6d87b77 100644
--- a/doc/glibc-headers/pty.texi
+++ b/doc/glibc-headers/pty.texi
@@ -10,7 +10,7 @@ Documentation:
@ref{Pseudo-Terminal Pairs,,Opening a Pseudo-Terminal Pair,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/Pseudo_002dTerminal-Pairs.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/Pseudo_002dTerminal-Pairs.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man3/openpty.3.html,,man openpty}.
diff --git a/doc/glibc-headers/sys_ioctl.texi b/doc/glibc-headers/sys_ioctl.texi
index bd807c4..1d1884a 100644
--- a/doc/glibc-headers/sys_ioctl.texi
+++ b/doc/glibc-headers/sys_ioctl.texi
@@ -10,7 +10,7 @@ Documentation:
@ref{IOCTLs,,,libc},
@end ifinfo
@ifnotinfo
-@url{http://www.gnu.org/software/libc/manual/html_node/IOCTLs.html},
+@url{https://www.gnu.org/software/libc/manual/html_node/IOCTLs.html},
@end ifnotinfo
@item
@uref{http://www.kernel.org/doc/man-pages/online/pages/man2/ioctl.2.html,,man ioctl}.
diff --git a/doc/gnulib-intro.texi b/doc/gnulib-intro.texi
index bdc5b39..bd68c66 100644
--- a/doc/gnulib-intro.texi
+++ b/doc/gnulib-intro.texi
@@ -162,7 +162,7 @@ IRIX 6.5 is no longer tested.
OSF/1 5.1 is no longer tested.
@item
Interix 6.1 is no longer tested, and requires the @code{suacomp} library
-(@url{http://sourceforge.net/projects/suacomp/}) in version 0.6.8 or newer.
+(@url{https://sourceforge.net/projects/suacomp/}) in version 0.6.8 or newer.
@item
Haiku and BeOS are no longer tested.
@item
@@ -446,7 +446,7 @@ There is the newest version of Gnulib from the Git repository.

@item
We also make stable releases every two months, at
-@url{http://erislabs.net/ianb/projects/gnulib/}.
+@url{https://erislabs.net/ianb/projects/gnulib/}.
@end itemize

If you are willing to report an occasional regression, we recommend to
diff --git a/doc/gnulib-readme.texi b/doc/gnulib-readme.texi
index 1422135..126d052 100644
--- a/doc/gnulib-readme.texi
+++ b/doc/gnulib-readme.texi
@@ -59,7 +59,7 @@ $ git clone git://git.sv.gnu.org/gnulib.git

For a read-write checkout you need to have a login on
@samp{savannah.gnu.org} and be a member of the Gnulib project at
-@url{http://savannah.gnu.org/projects/gnulib}. Then, instead of the
+@url{https://savannah.gnu.org/projects/gnulib}. Then, instead of the
URL @url{git://git.sv.gnu.org/gnulib}, use the URL
@samp{ssh://@var{user}@@git.sv.gnu.org/srv/git/gnulib} where
@var{user} is your login name on savannah.gnu.org.
@@ -68,9 +68,9 @@ git resources:

@table @asis
@item Overview:
-@url{http://en.wikipedia.org/wiki/Git_(software)}
+@url{https://en.wikipedia.org/wiki/Git_(software)}
@item Homepage:
-@url{http://git-scm.com/}
+@url{https://git-scm.com/}
@end table

When you use @code{git annotate} or @code{git blame} with Gnulib, it's
@@ -249,7 +249,7 @@ Check the license and copyright year of headers.

@item
Check that the source code follows the GNU coding standards;
-see @url{http://www.gnu.org/prep/standards}.
+see @url{https://www.gnu.org/prep/standards}.

@item
Add source files to @file{config/srclist*} if they are identical to upstream
diff --git a/doc/gnulib-tool.texi b/doc/gnulib-tool.texi
index d08aa44..9614c9f 100644
--- a/doc/gnulib-tool.texi
+++ b/doc/gnulib-tool.texi
@@ -63,7 +63,7 @@ in your package:
@itemize
@item
You have the complete module list, sorted according to categories, in
-@url{http://www.gnu.org/software/gnulib/MODULES.html}.
+@url{https://www.gnu.org/software/gnulib/MODULES.html}.

@item
If you are looking for a particular POSIX header or function replacement,
@@ -590,7 +590,7 @@ Standards, the steps are:
@item
When you run @code{gettextize}, always use the @code{gettextize} from the
matching GNU gettext release. For the most recent Gnulib checkout, this is
-the newest release found on @url{http://ftp.gnu.org/gnu/gettext/}. For an
+the newest release found on @url{https://ftp.gnu.org/gnu/gettext/}. For an
older Gnulib snapshot, it is the release that was the most recent release
at the time the Gnulib snapshot was taken.

@@ -651,7 +651,7 @@ $ env AUTOPOINT=true autoreconf --install

Gnulib provides some functions that emit translatable messages using GNU
@code{gettext}. The @samp{gnulib} domain at the
-@url{http://translationproject.org/, Translation Project} collects
+@url{https://translationproject.org/, Translation Project} collects
translations of these messages, which you should incorporate into your
own programs.

diff --git a/doc/gnulib.texi b/doc/gnulib.texi
index 188ece6..1468c14 100644
--- a/doc/gnulib.texi
+++ b/doc/gnulib.texi
@@ -101,10 +101,10 @@ Resources:

@itemize
@item Gnulib is hosted at Savannah:
- @url{http://savannah.gnu.org/projects/gnulib}. Get the sources
+ @url{https://savannah.gnu.org/projects/gnulib}. Get the sources
through Git from there.
@item The Gnulib home page:
- @url{http://www.gnu.org/software/gnulib/}.
+ @url{https://www.gnu.org/software/gnulib/}.
@end itemize

@include gnulib-readme.texi
diff --git a/doc/ld-output-def.texi b/doc/ld-output-def.texi
index 526ccb0..34e197a 100644
--- a/doc/ld-output-def.texi
+++ b/doc/ld-output-def.texi
@@ -15,7 +15,7 @@ The variants we have considered include:

@itemize @bullet
@item Use DUMPBIN /EXPORTS.
-This is explained in @url{http://support.microsoft.com/kb/131313/en-us}.
+This is explained in @url{https://support.microsoft.com/kb/131313/en-us}.
The tool does not generate DEF files directly, so its output needs to
be post processed manually:
@smallexample
@@ -27,7 +27,6 @@ $ lib /def:libfoo-0.def

@item Use IMPDEF.
There is a tool called IMPDEF
-(@url{http://sei.pku.edu.cn/~caodg/course/c/reference/win32/tools/dlltool.html})
that can generate DEF files. However, it is not part of a standard
Visual Studio installation. Further, it is documented as being an
unreliable process.
diff --git a/doc/ld-version-script.texi b/doc/ld-version-script.texi
index 4eb8249..ac7e01e 100644
--- a/doc/ld-version-script.texi
+++ b/doc/ld-version-script.texi
@@ -12,7 +12,7 @@ of each dependency (by looking at the symbol list) and stuff the
information into the Debian specific packaging files.

For more information and other uses of version scripts, see Ulrich
-Drepper's paper @url{http://people.redhat.com/drepper/dsohowto.pdf}
+Drepper's paper @url{https://www.akkadia.org/drepper/dsohowto.pdf}

You use the module by importing it to your library, and then add the
following lines to the @code{Makefile.am} that builds the library:
diff --git a/doc/lib-symbol-visibility.texi b/doc/lib-symbol-visibility.texi
index f36ef11..b50159f 100644
--- a/doc/lib-symbol-visibility.texi
+++ b/doc/lib-symbol-visibility.texi
@@ -93,9 +93,9 @@ was already supported in GCC 3.4, but without the command line option,
introduced in GCC 4.0, the third approach could not be used.)

More explanations on this subject can be found in
-@url{http://gcc.gnu.org/wiki/Visibility}, which contains more details
+@url{https://gcc.gnu.org/wiki/Visibility}, which contains more details
on the GCC features and additional advice for C++ libraries, and in
-Ulrich Drepper's paper @url{http://people.redhat.com/drepper/dsohowto.pdf},
+Ulrich Drepper's paper @url{https://www.akkadia.org/drepper/dsohowto.pdf},
which also explains other tricks for reducing the startup time impact
of shared libraries.

diff --git a/doc/licenses-texi.texi b/doc/licenses-texi.texi
index 325e2ef..60110ef 100644
--- a/doc/licenses-texi.texi
+++ b/doc/licenses-texi.texi
@@ -3,7 +3,7 @@

Gnulib provides copies of the GNU GPL, GNU LGPL, and GNU FDL licenses
in Texinfo form. (The master location is
-@url{http://www.gnu.org/licenses/}). These Texinfo documents do not
+@url{https://www.gnu.org/licenses/}). These Texinfo documents do not
have any node names and structures built into them; for your manual,
you should @code{@@include} them in an appropriate @code{@@node}.

diff --git a/doc/posix-functions/mbtowc.texi b/doc/posix-functions/mbtowc.texi
index 2359480..b6ba430 100644
--- a/doc/posix-functions/mbtowc.texi
+++ b/doc/posix-functions/mbtowc.texi
@@ -14,7 +14,7 @@ Portability problems not fixed by Gnulib:
@itemize
@item
This function accumulates hidden state on some platforms:
-glibc 2.8 (see @url{http://sourceware.org/bugzilla/show_bug.cgi?id=9674}).
+glibc 2.8 (see @url{https://sourceware.org/bugzilla/show_bug.cgi?id=9674}).
@item
On AIX and Windows platforms, @code{wchar_t} is a 16-bit type and therefore cannot
accommodate all Unicode characters.
Tim Rühsen
2017-09-13 07:06:16 UTC
Permalink
Good idea. The Wget project already worked (and still works) on that.

What about <http://www.gnu.org/licenses/> in the license headers ?


With Best Regards, Tim
Post by Paul Eggert
Since the GNU project is decommissioning FTP soon, I installed the attached.
What do people think about changing the Gnulib documention and code to
use HTTPS instead of HTTP? That should help repel man-in-the-middle
attacks.
Paul Eggert
2017-09-13 07:53:51 UTC
Permalink
What about<http://www.gnu.org/licenses/> in the license headers ?
We should change them too. I've done that in Gnulib, except for files we import
from elsewhere. I changed gnu.org URLs, along with fsf.org. I did not change
lists.gnu.org or nongnu.org, though, since they don't support HTTPS well enough
(if at all) yet. The patch is long and boring so I won't attach it. You can see
it here:

http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=ca35d468121a7ec60162155f9c3395068ca323d1
Tim Rühsen
2017-09-13 08:04:19 UTC
Permalink
Post by Paul Eggert
What about<http://www.gnu.org/licenses/>  in the license headers ?
We should change them too. I've done that in Gnulib, except for files we
import from elsewhere. I changed gnu.org URLs, along with fsf.org. I did
not change lists.gnu.org or nongnu.org, though, since they don't support
HTTPS well enough (if at all) yet. The patch is long and boring so I
Good to know, I would like to change these as well then.

BTW, has there been some official statement and/or discussion about such
a change ? Should we put it on gnu-prog-discuss ?

Regards, Tim
Paul Eggert
2017-09-13 08:36:48 UTC
Permalink
Post by Tim Rühsen
BTW, has there been some official statement and/or discussion about such
a change ? Should we put it on gnu-prog-discuss ?
It's been years since I read gnu-prog-discuss, but you're welcome to raise the
topic there. To me it's a no-brainer. Code injection attacks are easy with HTTP
and can cause serious damage, and code is the lifeblood of the free-software
movement. Nowadays it is almost irresponsible to encourage the use of HTTP to
distribute code.
Bruno Haible
2017-09-13 22:43:04 UTC
Permalink
Post by Paul Eggert
I changed gnu.org URLs, along with fsf.org. I did not change
lists.gnu.org or nongnu.org, though, since they don't support HTTPS well enough
(if at all) yet.
I went through all remaining http:// URLs and replaced them with a https://
equivalent if I could find one. In some cases it was easy (e.g. Microsoft
takes care that old URLs keep working), in some other cases it was hard
(e.g. Oracle and HP regularly break URLs and trash published documentation
from their sites).

lists.gnu.org appears to work fine with https, so I included it.

Bruno
Paul Eggert
2017-09-13 23:41:53 UTC
Permalink
Post by Bruno Haible
lists.gnu.org appears to work fine with https, so I included it.
https://lists.gnu.org is flaky. Sometimes it works, sometimes it doesn't
work for me. When it doesn't work, it's because I use Firefox configured
with security.tls.version.min set to 2, which means to use TLS 1.1 or
later, and whatever lists.gnu.org clone I happen to contact is
old-fashioned and supports TLS 1.0 at best. (mail.gnu.org is similar.) I
don't observe this problem with other gnu.org URLs. I have tried to open
a trouble ticket about this with the FSF sysadmins, but have received no
response yet.

No big deal; I wouldn't change the URLs back to HTTP as I expect the
matter will be fixed sooner or later.
Bruno Haible
2017-09-14 00:08:26 UTC
Permalink
Post by Paul Eggert
When it doesn't work, it's because I use Firefox configured
with security.tls.version.min set to 2, which means to use TLS 1.1 or
later,
Well, that's a non-default configuration of Firefox :-)
Post by Paul Eggert
and whatever lists.gnu.org clone I happen to contact is
old-fashioned and supports TLS 1.0 at best.
Indeed, the SSL report of ssllabs.com for lists.gnu.org (208.118.235.17)
says that the server supports only TLS 1.0.
Post by Paul Eggert
No big deal; I wouldn't change the URLs back to HTTP as I expect the
matter will be fixed sooner or later.
Even if it doesn't get fixed soon: I think it is better if people access
a server over HTTPS with TLS 1.0, rather than with HTTP and no encryption
at all. Even if ssllabs.com explains [1] that "TLS 1.0 is insecure".

Bruno

[1] https://blog.qualys.com/ssllabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported
P***@dell.com
2017-09-14 00:14:03 UTC
Permalink
Post by Bruno Haible
Post by Paul Eggert
When it doesn't work, it's because I use Firefox configured
with security.tls.version.min set to 2, which means to use TLS 1.1 or
later,
Well, that's a non-default configuration of Firefox :-)
Post by Paul Eggert
and whatever lists.gnu.org clone I happen to contact is
old-fashioned and supports TLS 1.0 at best.
Indeed, the SSL report of ssllabs.com for lists.gnu.org (208.118.235.17)
says that the server supports only TLS 1.0.
Post by Paul Eggert
No big deal; I wouldn't change the URLs back to HTTP as I expect the
matter will be fixed sooner or later.
Even if it doesn't get fixed soon: I think it is better if people access
a server over HTTPS with TLS 1.0, rather than with HTTP and no encryption
at all. Even if ssllabs.com explains [1] that "TLS 1.0 is insecure".
So why not force proper software? Have the server require TLS 1.2, disable HTTP. Those who have clients that can't cope, let them sort it out. It doesn't make sense to implement insecure mechanisms to work around people who don't want to use hte right software.

paul
Bruno Haible
2017-09-14 16:51:49 UTC
Permalink
Post by P***@dell.com
So why not force proper software? Have the server require TLS 1.2, disable
HTTP. Those who have clients that can't cope, let them sort it out.
It doesn't make sense to implement insecure mechanisms to work around people
who don't want to use hte right software.
Go trolling [1][2] elsewhere, please. [3][4]
Or create a political party.

[1] https://en.wikipedia.org/wiki/Internet_troll
[2] http://www.urbandictionary.com/define.php?term=troll
[3] https://gcc.gnu.org/ml/gcc/2016-10/msg00024.html
[4] https://gcc.gnu.org/ml/gcc/2017-08/msg00215.html

Loading...