From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id DAAD417DC5ED for ; Mon, 29 Dec 2014 11:50:19 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (smtp.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 4B2BCB5D853 for ; Mon, 29 Dec 2014 11:45:40 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 7C19297A827 for ; Mon, 29 Dec 2014 11:45:41 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grdfohGT2j6H for ; Mon, 29 Dec 2014 11:45:41 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 4085E97A820 for ; Mon, 29 Dec 2014 11:45:41 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 37D46952439 for ; Mon, 29 Dec 2014 11:45:39 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 4674E1204D5; Mon, 29 Dec 2014 11:45:35 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 4917F1204A5 for ; Mon, 29 Dec 2014 11:45:32 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=O+pwdZPdCKYXGEe0b9IL6klNE7g=; b=ZKNm0avK1afPX1eyLt nHt4ENS0O4RjN5fKqKNNQ6+RsedtDNCwWmkyBXvFy5knKZsqCUY1CVPikwYEJi/6 l8z1FGHApViAUf43veTSYaiAwDk+K1p4ZtSmVG32CyFgyrghtG2UTnIFbT9GkkLg cxoEBW7OA8poTfpDt2U4P6xJI= Received: by filter0019p1mdw1.sendgrid.net with SMTP id filter0019p1mdw1.16836.54A0C0492 2014-12-29 02:45:29.307350774 +0000 UTC Received: from herokuapp.com (ec2-54-82-90-140.compute-1.amazonaws.com [54.82.90.140]) by ismtpd-034 (SG) with ESMTP id 14a93ef1e21.6ddc.a2a8f for ; Mon, 29 Dec 2014 02:45:29 +0000 (UTC) Date: Mon, 29 Dec 2014 02:45:29 +0000 From: eric@konklone.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 41604 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10672 X-Redmine-Issue-Author: konklone X-Redmine-Sender: konklone X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: OOF Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5XQoa7BOf2eLArw/J+eQqpYCEhDE6AvI34nJ Nre1W0sKN0AQtm7FcwjDrU3OQn2cqN0Lz8MyDWLpu5SVTgogy0vfmSFQKy4NaxgGMUNUnZGhPrQlgK ZDU0rv/y1XXMY2J7qTvuIY3iML9jXukZ6jmy X-ML-Name: ruby-core X-Mail-Count: 67195 Subject: [ruby-core:67195] [ruby-trunk - Feature #10672] [Open] Enable SSL on cache.ruby-lang.org X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10672 has been reported by Eric Mill. ---------------------------------------- Feature #10672: Enable SSL on cache.ruby-lang.org https://bugs.ruby-lang.org/issues/10672 * Author: Eric Mill * Status: Open * Priority: Normal * Assignee: * Category: Project * Target version: ---------------------------------------- (I apologize if this is not the best place for this -- I'm happy to move this to a different place if it's more appropriate.) Ruby's official distribution server, cache.ruby-lang.org, is not served over HTTPS. When accessing the server over HTTPS, it presents a certificate from Fastly that is invalid for the domain. I strongly believe that downloads of public builds of Ruby should be secure, private, and resistant to tampering. HTTPS provides all of those properties. Some clients, like ruby-build and rvm, use client-side hashes to verify build integrity. Not all clients or users will do this verification, and so baking it into the cache.ruby-lang.org server will ensure that a broader set of Ruby users has a secure, verified download of Ruby. Even when clients do perform client-side integrity checking, there is always a privacy implication to downloading information. Downloading Ruby without SSL leaks information about the client performing the download through request headers, and informs anyone watching the connection what version of Ruby is likely to be running on the downloading machine. In addition, traffic can be correlated in unpredictable ways: for example, a user agent sent to connect to a download of a Ruby build may appear later to download other information, providing a pattern of client behavior. In any case, the web is, in general, moving to favor encrypted connections. SSL is faster, CAs like SSLMate and Let's Encrypt are emerging to make the process simpler, and web browsers are starting to encourage encrypted connections and discourage unencrypted ones. I request that the Ruby team: * install a valid certificate on cache.ruby-lang.org. * update any links to cache.ruby-lang.org controlled by the Ruby team to use the https:// version. * notify the community of the SSL availability with a tiny announcement post. Thank you for considering my request. -- https://bugs.ruby-lang.org/