I went through some parts of the Gentoo webpage and there are a couple of links that are HTTP and should be HTTPS. Gentoo internal: * The packages.gentoo.org link, present in the menu on all pages. The webpage redirects to https anyway, so linking it via http just adds an additional redirect. * The links to the mailing list archives on https://gentoo.org/get-involved/mailing-lists/ - as with packages, these redirect to https anyway, so we can save a redirect by making them https. * Links to anongit and gitweb on https://gentoo.org/get-involved/get-code/ External: * The PGP key links on https://gentoo.org/support/security/ probably should point to a secure location. The pgp.mit.edu keyserver can still be used with the same url and without a port number, e.g. https://pgp.mit.edu/pks/lookup?op=get&search=0x36BA656112EE3000 There's probably more, but I'd want to start getting a few of these resolved. (P.S.: The moarTLS chrome/chromium plugin is very helpful in finding these http links)
I have push access to www.g.o now and can fix these things.
Fixed: * Links to anongit and gitweb on https://gentoo.org/get-involved/get-code/ via - https://gitweb.gentoo.org/sites/www.git/commit/?id=bd838a463e04dd60a279777d0c7231572774d3c8 * Mailing list archives on https://gentoo.org/get-involved/mailing-lists/ via: ** https://gitweb.gentoo.org/sites/www.git/commit/?id=87f354a2ac72d228c63455938d4fafb33f6f7557 ** https://gitweb.gentoo.org/sites/www.git/commit/?id=21336b65dae90ebd40021b0f252d1853e6cfbec1 * GPG links fixed. Now they use the HTTPS link you suggested. The contacts have also been updated (fix via bug 616772). Already fixed? * The packages.g.o link in the drop down header at the top seems to be fixed already.
