[Devel] Moving the site to https (I just did it, but, um, should we really keep it this way?)

[Asheesh Laroia]

Excerpts from Raphael Krut-Landau's message of Thu Dec 03 15:57:43 +0000 2009:
> Would this work: Move the CRM somewhere else, and redirect https to http?

(Well we're ditching the CRM anyway. Yeah, we'll move the CRM somewhere else
at some point.)

> While you make a good for https not mattering that much, I feel it
> would be prudent to avoid, if we can, moving the whole site into
> https. The downside is that it's a slightly slower protocol (because
> of PermanentRedirects and handshaking) that has more moving parts,
> thus slightly higher maintenance costs and more potential ways to
> fail. (Possibly this is a very small downside, but it's still a
> downside.) And the upsides to https seem small: a slight feeling of
> security for our users perhaps, but we use OpenID anyway. Has anybody
> asked for https?

The redirects are temporary. Once people's links adjust, the redirects will
make no difference. (I guess that's only true if they don't type in the
URL themselves. Then they'd still get one extra redirect.)

There aren't really many more moving parts.

And I do want to use https for the bug tracker. It's irresponsible to let people POST
password to us in cleartext, at least so long as we have passwords there.

I guess it's because of /bugs/ that I have the clearest argument for switching to https.
But maybe we can talk this through in person tomorrow, and I'll leave things the way
they are for now.

(This is because of https://openhatch.org/bugs/issue20 FWIW.)

-- Asheesh.

-- 
You would if you could but you can't so you won't.