On Wed, Feb 15, 2017, at 01:56 PM, Corey W Sheldon wrote:
Tomasz Torcz:
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total blog number, total blog with partial https (is it easy to detect?), total blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total * 284 URLs start with https:// * 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones):
- 225 over https returned content with roughly the same size as returned over http
- 209 weren't accessible by https
- 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary:
- we have 716 blogs on Planet
- we can access (284+225=) 509 of them over https
- by forcing https we would loose ~ 200 blogs
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)? blog is less favored if by Jan 1 2018 it's still not https it gets dropped, this let's people know 1) we are seriously 2) not trying to kill them with an immediate seemingly arb. deadline.
This is a very reasonable proposal, but could represent a problem for some in an indirect way. My personal blog is currently hosted in a manner that makes using https not possible.[^0] I don't know if others are in a similar situation, but it is reasonable to think so. Enabling https is one thing, but in my case a full migration will be required. Is there a reason we need to require the blogs that are aggregated to be https and not just encourage it and move the planet to https?
regards,
bex
^0: I use a free hosting platform that cannot do https for custom domains. However, everything else, static site generation, git, etc. is exactly like I like it :)