Ruby » Ruby master

(I apologize if this is not the best place for this -- I'm happy to move this to a different place if it's more appropriate.)

Ruby's official distribution server, cache.ruby-lang.org, is not served over HTTPS. When accessing the server over HTTPS, it presents a certificate from Fastly that is invalid for the domain.

I strongly believe that downloads of public builds of Ruby should be secure, private, and resistant to tampering. HTTPS provides all of those properties.

Some clients, like ruby-build and rvm, use client-side hashes to verify build integrity. Not all clients or users will do this verification, and so baking it into the cache.ruby-lang.org server will ensure that a broader set of Ruby users has a secure, verified download of Ruby.

Even when clients do perform client-side integrity checking, there is always a privacy implication to downloading information. Downloading Ruby without SSL leaks information about the client performing the download through request headers, and informs anyone watching the connection what version of Ruby is likely to be running on the downloading machine. In addition, traffic can be correlated in unpredictable ways: for example, a user agent sent to connect to a download of a Ruby build may appear later to download other information, providing a pattern of client behavior.

In any case, the web is, in general, moving to favor encrypted connections. SSL is faster, CAs like SSLMate and Let's Encrypt are emerging to make the process simpler, and web browsers are starting to encourage encrypted connections and discourage unencrypted ones.

I request that the Ruby team:

• install a valid certificate on cache.ruby-lang.org.
• update any links to cache.ruby-lang.org controlled by the Ruby team to use the https:// version.
• notify the community of the SSL availability with a tiny announcement post.

Thank you for considering my request.