Yeah, more security and privacy, because Linux Audio packages are
constantly attacked by enemies :D

Hey Ralf,
That is right. I am not sure, how many can be convinced in the near
future. Asking is cheap, though, so would that work for you Fons? :)
That of course is also true and thanks for pointing it out.
When writing, I was more thinking of subdomains hosting applications,
that require authentication (then seeing, that e.g.
{lists,wiki}.linuxaudio.org already facilitate letsencrypt certs).

Of course, given the right tools and infrastructure, it gets
increasingly harder to achieve some form of privacy.
However, that's no reason not to aim for the maximum amount thereof.

In any case (unless your ssl is broken) and however one wants to turn
it: It is beneficial to implement https and I'm happy to hear it will be
done.

Best,
David

i'm not sure whether i read this correctly, but you make it sound like
there's technical problems hindering the implementation of https://,
although i think these are merely social (e.g. you don't want to shove
https:// down the throat of just anybody).
it's also slightly unclear what you mean by "users" (intuitively i would
have said that "users" refers to the people who want to access the
website with their browsers; however, as ***@linuxaudio.org you might
think of the 'variety of organizations and people' who host projects on
linuxaudio.org as your "users").

also, there's a slight difference between "enforcing the usage of SSL"
(shoving it down the throats of everybody) and "enabling" it.


https:// is a great means against mitm attacks; as ralf has pointed out,
it's less useful as a tool to ensure privacy (use tor for that) or
integrity (use gpg signatures for that). however, it does help raising
the standards for both.
there is practically no reason to *not* use https:// everywhere (well
there's one: CPU power on the server side).

if CPU power is not a problem, i would suggest to:
- enable https:// for *all* VHOSTS that are directly running on the
linuxaudio.org infrastructure
- allow all organizations and people that "run" one of these VHOSTS to
permanently redirect to https:// (if the choose so).

of course people who run their own VHOSTS (if any) need to implement
https:// themselves.

and of course, i'm not associated with anything linuxaudio.org, so i
don't know the exact contract under which you give away VHOSTS.

asdr
IOhannes

Well, it's quite easy, and arguably preferable, to install certs on a
domain by domain basis. This is well supported by Let's Encrypt and
certbot.

Best,

Janina
--
Janina Sajka, Phone: +1.443.300.2200
sip:***@asterisk.rednote.net
Email: ***@rednote.net

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup: http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures http://www.w3.org/wai/apa

I'm absolutely in favor of enabling https for kokkinizita.

I'm using Let's Encrypt on https://rangerovers.pub and it's been pretty
hassle-free. I had minor issues at the start because some people were
visiting from the old domain name, but nothing insurmountable.

If you have anything where you accept user input on your website (the
obvious case being a username and password, but even a search box) then
you should absolutely be using HTTPS, right now.