Draft text for HSTS communication

[mhdawson]

Proposed Text:

---

Heads Up !

The goal of the Node.js build team is to deliver services/resources through channels protected
by cryptography whenever possible. As part of this effort we are planning to enable HTTP Strict
Transport Security(HSTS) on nodejs.org, iojs.org and all subdomains.

With HSTS enabled, the web sites will inform browsers that the site should never be loaded using
HTTP and any such attempts should be converted to HTTPs requests. Enabling HSTS will ensure that
all resources are delivered through a protected channel and prevents a number of man in the
middle attacks. You can read more about HSTS here.

The current plan is to do the rollout in two steps:

• We will run a test the weekend of November 4-6.
• We will do the complete switch-over on December 2nd.

As an alternative for clients that can't support the new setup, we will provide unencrypted.nodejs.org and unencrypted.iojs.org as an alternative which will
support http and rsync protocols for an interim period until January 1 2022.

If you have any questions or concerns please open an issue in the build repo.

[jbergstroem]

Typo: Novembeddr -> November

We should also mention that we will offer an alternative for clients that doesn't support this at unencrypted.{nodejs,iojs}.org that allows http and rsync protocols. These services have been given an EOL at 2022-01-01 but might be extended if no other viable alternative has been made available.

@rvagg lgty?

[mhdawson]

@jbergstroem @rvagg updated based on @jbergstroem comments. Left out the part about an extension as 2022 is pretty far out anyway so I don't think softening by mentioning a possible extension helps.

[gibfahn]

ref: #55

[mhdawson]

@jbergstroem @rvagg any comments or should we plan to send this out ?

[mhdawson]

Added to WG agenda in case we don't close on it before then.

[jbergstroem]

(i have no more comments)

[MylesBorins]

quick ping to @ljharb and @qw3rtman to confirm this would not negatively affect n or nvm

[joaocgreis]

Text LGTM.

Perhaps when we enable this completely we can add a visible notice to the main page warning users about this (for one week perhaps?). Users that are not able to connect will probably try another computer/browser and if they can access there they will find an explanation.

[Trott]

Text LGTM

[gibfahn]

So presumably unencrypted.nodejs.org would be identical to the current nodejs.org?

[jbergstroem]

@gibfahn: correct. it rsyncs every N minutes (I forget) and makes it available over rsync and http. We might look at adding ipfs at some point.

[ljharb]

This will absolutely break anyone using an older version of nvm (luckily, a much much older version) that has the mirror pointed at the HTTP version - however, anyone who wants io.js support, or working node4+ support, has a version of nvm that points at the HTTPS URL, so I think this should be fine.

Note that #233 is still open and prevents older clients from accessing iojs.org even with SSL - fixing that first would be very helpful to mitigate the impact of this change.