You should support https access to gentoo.org because you can. I would go so far as to recommend for browsers known to support https you automatically redirect them to https from http when you can.
Eric? Comments?
What kind of information goes through gentoo.org that need to be encrypted?
OpenBSD was the first UNIX distribution to ship with integrated crypto. According to http://www.openbsd.org/crypto.html Why do we ship cryptography? In three words: because we can. Now it is the norm to ship with OpenSSH. According to some twisted logic, only the military and criminals need real crypto. Everybody else should be happy if the government had backdoor keys to access your encrypted information. Encrypting all information is a part of excercising your rights to have crypto. It makes it easier to notice you have the right and makes it much more noticible when someone trys to take that right away. If you do eventually decide you really need crypto for some application, you don't want an attacker to have only a few transactions to attack. You want all your transactions encrypted so that they have a much larger computing effort to decrypt the transactions you want secured. Consider the alternative extreme, require identification of accessors to the Gentoo site. Information such as who they are and what company they work for. Then publish this information along with which pages they accessed and how long they spent on the page. Now a competitor can determine: they are looking into file sharing networks, security transactions, or whatever. The point is unless you are comfortable publishing your lifetime web access history, you should secure all of it. And even if you are comfortable, others may not be, in fact they may be discrimated against based upon their interests. Hopefully, eventually https will like OpenSSH be the norm. Http should go the way of rsh, telnet, and ftp: obsoleted by secure protocols. Hopefully, eventually no one will ask why anyone needs encryption or if anyone has a need for a right to privacy. The short answer to your question "What kind of information goes through gentoo.org that need to be encrypted?" is "All information." It's hip to encrypt, -Arthur
Eric - Since you are webmaster, this is yours. Cheers, //zhen
Why would you want to use more overhead for encryption for something as trivial as the website of a distribution? There's no sensitive information being transferred. Would you use secure telephone connections to call your mother? :-)
I'll expand a little bit. My reasoning is this: encryption makes sense in situations where privacy is assumed or expected. For example, encryption makes sense when transferring passwords - you don't want other people to know your passwords. Encryption makes sense for chat/email - you expect that your personal conversations will remain private. It's a bit of a stretch, but encryption even makes sense for minor phone calls - again, you expect privacy. With a website, however, it's something available to the public - something anyone can view. Because anyone can view it and you're not transferring anything you assume to be private (obviously, website content isn't assumed to be something private between two people, generally speaking) it's not worth it to use encryption.
Yes, there is some overhead incurred. Most of the costs actually occur in the set up when a user connects for the first time. If you have a few spare cpu cycles, the overhead is negligible. If the choice is insecurity or no service, the choice is obviously insecurity. If the choice is securing the right to privacy or negligible overhead, my choice is securing the right to privacy. To do this, I would like to secure all my transactions. Even my calls to my mother. -- Concerning web site content being public: In some places people are discriminated against based upon their interests. Those interests might be anything from Falong Gong to encryption. Gentoo includes some things that have been labeled criminal or unamerican in the press: mp3 technology, PGP, P2P, libdvdcss, GPL, etc... Even if it didn't, you are making the argument that until you decide to do something someone might discriminate against you with, you will not exercise your right to privacy because you can't spare a few CPU cycles. The question you need to ask yourself is: How much do you value your right to privacy?
I agree that we need to work to protect our rights, especially now that governmental structures are becoming more totalitarian than ever. However, the fact is, those of us who realize the value of privacy will work hard to protect that privacy (and encryption) if it's taken away - it doesn't need to be implemented everywhere to achieve this. Implementation of secure protocols on things like websites that can be accessed by the public won't bring anyone else on the privacy boat with us. The decision to use encryption on the website is, of course, not up to me, but there's my opinion on it.
Instead of pledging to protect the my right to privacy if it is taken away, perhaps it would be better if you allowed me to exercise that right with https. If you do not allow me to exercise my right to privacy, you have managed to take it away without involving any government. Using https is practically free. What do think is the downside?
I think https is not needed here. if we add a section later that users can log onto for instance...then that area would mostl ikely use https...however, at this time there is, in my opinion absolutly no reason to use it.
no need