On Wed, Feb 15, 2017, at 01:56 PM, Corey W Sheldon wrote:
Tomasz Torcz:
> On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
>> Le 2017-02-14 20:10, Kevin Fenzi a écrit :
>>> There's no real security advantage here, other than making more traffic
>>> on the net encrypted, which I think is a good goal.
>>>
>>> What do folks think? Doable? To harsh? Pointless?
>>
>> Do you have any statistics of the number of blog that should migrate? Total
>> blog number, total blog with partial https (is it easy to detect?), total
>> blog with full https.
>
> I've tried to estimated this, using
http://fedoraplanet.org/heads.html:
>
> – there are 716 blogs in total
> * 284 URLs start with https://
> * 432 URLs start with http://
>
> - if I do s/http/https/ and try to access the blogs (of 432 "http://"
ones):
> - 225 over https returned content with roughly the same size as returned over
http
> - 209 weren't accessible by https
> - 34 weren't accessible by http, either
>
> I did not check if those 225 "forced https" contain any mixed content.
>
> Summary:
> - we have 716 blogs on Planet
> - we can access (284+225=) 509 of them over https
> - by forcing https we would loose ~ 200 blogs
>
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)?
blog is less favored if by Jan 1 2018 it's still not https it gets
dropped, this let's people know 1) we are seriously 2) not trying to
kill them with an immediate seemingly arb. deadline.
This is a very reasonable proposal, but could represent a problem for
some in an indirect way. My personal blog is currently hosted in a
manner that makes using https not possible.[^0] I don't know if others
are in a similar situation, but it is reasonable to think so. Enabling
https is one thing, but in my case a full migration will be required.
Is there a reason we need to require the blogs that are aggregated to be
https and not just encourage it and move the planet to https?
regards,
bex
^0: I use a free hosting platform that cannot do https for custom
domains. However, everything else, static site generation, git, etc. is
exactly like I like it :)