Skip to Content.
Sympa Menu

discuss - [opennic-discuss] Please, enable HTTPS on every website you can!

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] Please, enable HTTPS on every website you can!


Chronological Thread 
  • From: imsys <imsys AT riseup.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: [opennic-discuss] Please, enable HTTPS on every website you can!
  • Date: Mon, 07 Apr 2014 21:52:25 -0300

Hi everyone,

In OpenNIC main page, opennicproject.org / opennic.glue, it says
"Protect Your Privacy". Great! I know the awesome work OpenNIC does. And
guess what? We can improve! :)

We could enable HTTPS on every page we could.

Mainly grep.geek, search.geek and all the domain registration websites,
like reg.for.free

Why?

1 - Anyone can set up a sniffer to get the data that goes via HTTP. The
attacker can get all form data too, like a username and password!!!!
http://reg.for.free/login/
HTTP is very insecure for login/registration.

2 - Some ISPs use Transparent Proxies to cache websites to save a lot of
bandwidth, but they can only do that to HTTP! SSL/TLS connections are
made directly with the website.
My ISP in Brazil do have a transparent proxy that makes me unable to
access OpenNIC HTTP websites. Fortunately I work in this ISP and I can
have a voice in the decisions. But other people may not be that lucky,
so enabling HTTPS will also help some people who are behind a proxy.


I know OpenNIC project has so many domains and probably most of us do
not want to spend money with certificates, but I think it's complete
fine to we use self-signed certificates.

For some domains we could try startssl that gives free certificates. But
they only allow 1 subdomain, and I don't know if they would accept a
OpenNIC TLDs.

Cheers! :)

imsys



Archive powered by MHonArc 2.6.19.

Top of Page