HTTPS support for *.gimp.org
Alongside the move to a new site layout for +GIMP
, we have added HTTPS support to the gimp.org
sites - at least the ones we are hosting ourselves.
We are currently combing the content for links that include the protocol (http:), and replace them by relative links and protocol-agnostic versions.
The Wiki-, Registry- and Build-Server are hosted and managed by individuals from the GIMP team and will throw warnings due to self-signed certificates - except for the Build-Server with its valid cert (unfortunately it is down at the moment, a fact I discovered when checking for its https support a few days ago).So, do we need to spend donated money on SSL certificates, every year?
Nah. We are using Let's Encrypt, a free, automated, and open certificate authority brought to you by the Internet Security Research Group - visit them on https://letsencrypt.org/
They focus on the only thing SSL certs are really good for - encrypt the connection to a site - and automate everything, including the web server config (you can choose to provide CSR yourself and keep their client off your private key, and you can also change the server config yourself and not have the client mess with that)Will this leave anyone behind?
Yes. As you can see in the Handshake simulation section of the test report on https://www.ssllabs.com/ssltest/analyze.html?d=gimp.org
, users with IE 6 8 on Windows XP, Android 2.3.7 and Java-6u45-based clients won't be able to access https://www.gimp.org
and any of the other sites (XP users: at least witch to a different browser, will you?). From a technical pov, this is due to the SNI requirement and not https per se.
P.S. I hope Google+ will do its homework and make automatically created links for things like gimp.org
link to the https versions... maybe they'll do that once their searches discover the availability.