ResetTheNet Discussion

HSTS

We could fairly quickly and easily decide to do HSTS for the web servers that we run here; this does not include http://www.inf.ed.ac.uk, our main public face - but does include http://homepages.inf.ed.ac.uk/? What about http://wcms.inf.ed.ac.uk/, which hosts for example the LFCS pages? This implies using HTTPS for all our pages, even those that only serve public information, and declaring that we do so.

• if we did so, the benefits (given that we already use https everywhere it's traditionally seen to be needed) would be:
• being seen to support Reset the Net;
• making it harder for another site to impersonate us (would have to be an attack aimed at us specifically)

and the costs would be:

• initial implementation effort, acceptable we think;
• some performance overhead of using https for everything, but my guess is that's not large enough to be an issue?
• monetary cost of certificates? I don't know about this; what numbers are we talking?
• the risk that some people would have difficulty accessing pages we want them to access. (Hence some support costs when they told us about it, and some opportunity costs when they didn't.) I'm not sure how big a problem this is, but here's a page of people having various different problems accessing facebook and twitter (commonest problem seems to be date/time set wrong on user's computer, but there are others); otoh, it doesn't seem to be doing facebook or twitter too much harm and our users are probably more clufeul than theirs on average! https://productforums.google.com/forum/#!topic/chrome/WeZJFO2Ie3Y

PFS

We cannot do this by June 5th, but Alastair will propose a project to do it (which will them be considered for prioritisation). I'm not clear on whether using PFS would also commit us to using HTTPS for all pages, or whether it still makes sense to use even while only some pages use HTTPS?

It's not obvious to me that this has any downside apart from the implementation cost, though if it requires us to use HTTPS for everything it has the same costs listed for HSTS.

PGP/GPG for email

I'm also in the group of people who have tried this and given it up as too cumbersome. It's not obvious that there's much we can sensibly do here to help concretely, but we could at least make sure our documentation is as helpful as possible. NB David Aspinall has a nice page here:

http://homepages.inf.ed.ac.uk/da/id/gpg-howto.shtml

The only place I found pgp and gpg mentioned on the computing documentation pages was here:

http://computing.help.inf.ed.ac.uk/data-security

Perhaps David's page should be linked from here? The information might also be split, so that we provide information on how to use the software under Software, and link to it from this Policies and Guidelines page, rather than only having the software mentioned here.

-- TimColles - 13 May 2014