Weaning "host" off HTTPS/SSL

The "host" server will eventually stop supporting incoming SSL connections. Please update your links accordingly.

Redirecting you to TARGET in 15 seconds.

Why is SSL is being turned off?

Even if letsencrypt certificates are free, renewing these certificates every three months takes time and effort. Given that "host" is load-balanced over several machines, the effort involved in renewing the certificates is non-negligible and could not be fully automated.

There is a bigger reason though. We think that mindless security procedures are detrimental to all organizations. When security becomes an overriding concern above all else, it makes organizations wither slowly but surely. Security needs should be applied with intelligence and measure. In larger organizations, the current trend is to apply security-motivated organizational changes first and think later.

But what about security risks?

Admittedly, turning off SSL can have adverse affects. An attacker could eavesdrop and steal user credentials. However, the site "host" does not store user credentials. Incidentally, it does not track users nor store cookies either.

In a more severe case, an attacker could intercept the HTTP connection and serve hacked binaries. To eliminate this risk altogether, the site "host" will no longer directly serve downloadable binaries but indirectly delegate this task to Maven Central where 99% of users download the binaries anyhow.