serve the rust-lang.org domain over https

[thestinger]

I don't think there's really any need to have http for the site at all. Any non-TLS location is a chance for an attacker to send users to a malicious download.

[SimonSapin]

This should apply to all subdomains (www., static., doc., anything else that exists.)

@brson, what’s needed for this to happen?

[SimonSapin]

@brson, This should be closed as duplicate of #16123 which, although more recent, has more discussion.

[SimonSapin]

I hadn’t realized that #16123 was only about static.rust-lang.org and links to it. www.rust-lang.org and doc.rust-lang.org should of course be HTTPS as well. Could this be re-opened?

[DomT4]

Presuming the Rust website is hosted and not say, deployed via Github Pages or similar, you could always use Cloudflare to slap SSL/TLS protection across the whole domain, and then you can stick self-signed or CA-signed certs on the server, and you'd have full SSL/TLS protection from user to Cloudflare to server and back the other direction.

If you went with self-signed certs sitting behind the Cloudflare protection, you'd actually spend less per year than it'd cost purchasing a wildcard cert to cover everything. Cloudflare allows you to stick self-signed certs on the server without it raising an enormous browser red-flag.

Reasonably easy to setup, as well.

[SimonSapin]

It might also make sense to use whatever setup we already use for static.rust-lang.org. CC @brson

[brson]

The rust website is hosted on GitHub pages. It would need to be hosted somewhere else to serve it over https.

[gsingh93]

It looks really bad when I see a big project like this that still hasn't gotten HTTPS on their website. What exactly is blocking this? It shouldn't be hard to do. If the current hosting can't provide it, it should be changed.

[frewsxcv]

Related issue: #13180 #17914

[DomT4]

Related issue: #13180

#17914, presumably? :)

[frewsxcv]

Yes, thanks :)

[brson]

To do this we need to frob the nginx config to redirect www.rust-lang.org to GitHub pages, then update the DNS to point to the nginx server.

[sigmavirus24]

It'd also be pretty great if Rust became the third language in the "Good" category on https://httpswatch.com/programming#programming-languages

[gsingh93]

I don't want this to come off as aggressive, but I'm genuinely wondering why this is taking so long? This shouldn't take more than 20 minutes to set up. Setting up a MITM attack to change the download links to malicious links is trivial, not to mention not having HTTPS is just plain unprofessional.

[brson]

@gsingh93 It's taking a long time because it's not considered a high priority. @edunham has it on her todo list and I expect she'll complete it soon.

[edunham]

Status: https://www.rust-lang.org/ fixes the original issue of this ticket. http://rust-lang.org redirects to https://www.rust-lang.org. rust-lang/prev.rust-lang.org#165 will handle the issues raised in the ensuing discussion.

At least we're up to "mediocre" on https://httpswatch.com/programming#programming-languages 😒

[gsingh93]

Yay! Nice work!

(This issue should probably be closed now.)

[tanriol]

The github's certificate is still in use for https://blog.rust-lang.org (rust-lang/blog.rust-lang.org#81).