Force HTTPS on replicant.us
I noticed that the main website, redmine, and ftp.osuosl.org (where the Replicant images are hosted) are all only accessible through HTTP, but not HTTPS. It appears that replicant.us and redmine.replicant.us are listening on 443 and serving a certificate that's only valid for *.osuosl.org. Would it be possible to update the exiting SSL certificate to add replicant.us and redmine.replicant.us as alt names, and then force HTTPS? I had to create an account to login to redmine, which included sending a plaintext password over the internet.
And even worse, the Replicant image downloads that are linked from http://replicant.us/download/ are all hosted on http://ftp.osuosl.org/, with no HTTPS available. One of the reasons I'm so interested in Replicant is because I don't trust the software that came with my phone. If there isn't even the assurance of HTTPS during the download, I have no way to verify that the binary that I flash onto my phone wasn't modified in transit. It would also be helpful to provide detached PGP signatures to do verification, but I think HTTPS should be minimum.
I understand that there are issues with the public key infrastructure that mean that certain powerful attackers can force or convince CAs to sign malicious certs, but there are several technologies available to detect these types of attacks, such as the SSL Observatory (https://www.eff.org/observatory). It's much better to have HTTPS that protects against most attackers and forces all other attacks to risk discovery than it is to not use any encryption and make all attackers jobs easy.
RE: Force HTTPS on replicant.us - Added by Paul Kocialkowski about 6 years ago
I agree there -- we wanted to bring https to our websites but got carried away by other work. My short answer is that we'll probably wait a bit longer because we may change our domain name soon, so it would make sense to do it once we switch over to the new one. Thanks for bringing this up.