mlpack.org is still serving HTTP by default. Configure the server to always use HTTPS.

[gmanlan]

If you type mlpack.org in the browser URL bar, it brings the HTTP site by default, which is insecure. Even though https is available, the web server should be configured to serve HTTPS as the default, and redirect http to https if that option is still required for some reason.

[conradsnicta]

Does using https in this case bring any tangible benefits vs the potential cost of a more brittle setup?

I can understand using https on sites that require a login, but here there's nothing of a secure nature.

[gmanlan]

mlpack is already offering HTTPS, but HTTP is still the default option.

Browsers are either enforcing HTTPS or clearly penalizing HTTP (https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/). Most gateway security solutions won't allow you to navigate insecure sites anymore. Not offering HTTPS is effectively isolating mlpack from the world, not even mentioning the security issues mlpack might be exposed to.

[rcurtin]

I'm in agreement with @conradsnicta ---the user can already select HTTP or HTTPS based on the URL they enter, and at least for mlpack's documentation HTTPS doesn't bring a tangible benefit.

But, @gmanlan, you are also absolutely right that HTTP-only sites seem to be frowned upon these days, and if we have to serve HTTPS to keep up with what's going on, that's fine by me (it's a simple Apache config change I can do). But, I still have one question: how does the user specify they want HTTP-only? If I make this change, http://www.mlpack.org redirects to https://www.mlpack.org and there's no way to get HTTP-only. Are there standard ways that other sites allow insecure HTTP access?

[gmanlan]

I don't think the specification allows you to keep http and https in the same port and switch back depending on the client. As you said, you may need to redirect from http to https for users typing the domain in the URL bar. There is any use for HTTP-only anyways? I don't see other libraries serving http.

Anyways, will let you decide what's best. I just brought the issue because users in corporate environments get a gateway (and browser) red flag by default, unless you specifically type HTTPS.

Feel free to close the issue either way.

[rcurtin]

I switched the Apache configuration to automatically redirect to HTTPS. It doesn't seem like it could hurt. :+1: