HTTPS about docs HOT 12 CLOSED

DreamHost will issue free (with automatic updates) certs from let's encrypt: https://www.dreamhost.com/blog/2016/01/20/free-ssltls-certificates-at-dreamhost-with-lets-encrypt/

Even with this I still think it's worth adding cloudflare for the CDN-around-the-world bonus.

from docs.

@jess-edwards: Seems like this is something we'll need to coordinate with DivisionOf?

from docs.

We can do the cloudflare thing without talking to them at all, since it's DNS settings, and we control those (well, I hope we do).

from docs.

this has been on my plate. We also need to figure out the migration story for the blog, that may cause issues if we keep the blog and the rest of the site on separate hosts.
@jseldess: no DivisionOf involvement necessary, we have admin accounts on dreamhost and control the dns settings anyway.

from docs.

@mjibson @mberhault Why do we need to put https on the entire website? There's no login/user info and no financial information shared. Seems unnecessary but I'm open to hearing justification.

from docs.

there's login for the wordpress admin thing. We'll also have binaries at some point, and probably with a checksum listed on the website to verify third-party downloads, those should be behind SSL.
But in general, https is a good thing.

from docs.

@jess-edwards There's no technical reason we need HTTPS for the website. It does provide a reasonable amount of safety, though, if people are downloading binaries to run on their machine. If they are more certain that the link on the website and the binary it links to are served over HTTPS, the chance of it containing something bad is lower. This is all pretty theoretical, but possible.

A stronger reason is social. People developing web apps today who are considering cockroachdb are in the forefront of technology, and may well enjoy trying lots of new technologies. There has been lots of work in the HTTPS and crypto front lately (HTTP2, let's encrypt, cloudflare universal SSL, SHA1 deprecation, OpenSSL/BoringSSL, keybase.io) and so it is reasonable to assume these people simply value HTTPS. As in, they trust and value sites that allow HTTPS more than others. Supporting HTTPS is like waving a flag to these people that we get who they are and what they value, and we can help provide that. Rather, not having HTTPS is saying the opposite: that there's a big part of the things they value that we don't value, and thus haven't done.

from docs.

See this tweet from today, for example:

https://twitter.com/SwiftOnSecurity/status/704331207178190850

from docs.

It's important for pages that offer download links to be on HTTPS. It doesn't matter too much whether the entire site is HTTPS or not, but once we have HTTPS for part of it, why not all of it? HTTPS will probably actually speed things up since Chrome will only use HTTP/2 for HTTPS, and Google has said they plan to consider HTTPS as a positive sign in ranking. For comparison, mongodb and mysql's sites are all HTTPS, although rethinkdb and postgresql's are not.

If we're 100% HTTPS we can also use HSTS for extra security.

from docs.

I think we're all agreed then.
I enabled secure hosting with free certs from Let's Encrypt on dreamhost a few hours back, but we're still in that limbo where things haven't been pushed yet or they're broken. I'll keep checking.

from docs.

Sounds good to me.

from docs.

This is done, minus a few absolute image links still pointing to http, but I'm fixing those.
We now have https://www.cockroachlabs.com, which is automatically re-directed to when you hit any of http://www.cockroachlabs.com, http://cockroachlabs.com, or https://cockroachlabs.com

from docs.