Force HTTPS on

Added by Micah Lee about 7 years ago

I noticed that the main website, redmine, and (where the Replicant images are hosted) are all only accessible through HTTP, but not HTTPS. It appears that and are listening on 443 and serving a certificate that's only valid for * Would it be possible to update the exiting SSL certificate to add and as alt names, and then force HTTPS? I had to create an account to login to redmine, which included sending a plaintext password over the internet.

And even worse, the Replicant image downloads that are linked from are all hosted on, with no HTTPS available. One of the reasons I'm so interested in Replicant is because I don't trust the software that came with my phone. If there isn't even the assurance of HTTPS during the download, I have no way to verify that the binary that I flash onto my phone wasn't modified in transit. It would also be helpful to provide detached PGP signatures to do verification, but I think HTTPS should be minimum.

I understand that there are issues with the public key infrastructure that mean that certain powerful attackers can force or convince CAs to sign malicious certs, but there are several technologies available to detect these types of attacks, such as the SSL Observatory ( It's much better to have HTTPS that protects against most attackers and forces all other attacks to risk discovery than it is to not use any encryption and make all attackers jobs easy.

Replies (2)

RE: Force HTTPS on - Added by Paul Kocialkowski about 7 years ago

I agree there -- we wanted to bring https to our websites but got carried away by other work. My short answer is that we'll probably wait a bit longer because we may change our domain name soon, so it would make sense to do it once we switch over to the new one. Thanks for bringing this up.

RE: Force HTTPS on - Added by Paul Kocialkowski over 6 years ago

https is now enabled on and! We use a certificate signed by CaCert.