Consider including a security statement on https://ipfs.io

[micxjo]

While the go-ipfs repo includes a section on Security Issues and https://ipfs.io/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/security-notes exists, https://ipfs.io, https://ipfs.io/docs/install and http://dist.ipfs.io do not seem to contain any mention of security (even ctrl-f "secur" comes up blank).

This is compounded by the fact that the site does not make it obvious (to me) whether IPFS (client and protocols) is considered production-ready yet. The main page includes links to Install IPFS and Install IPFS Alpha, but the Alpha link is below the fold and they both point to https://ipfs.io/docs/install/ which doesn't make the status clear.

The notes at https://ipfs.io/ipfs/QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/security-notes seem sensible and I would suggest linking to them prominently on https://ipfs.io and http://dist.ipfs.io, and possibly including a form of them inline on the installation instructions page.

[RichardLitt]

These are very good points. @dignifiedquire What do you think? dist is yours. We should certainly mention it on docs/install; I don't think that ipfs.io needs it so much.

[dignifiedquire]

I think there is a larger discussion to be had around how "ready" IPFS is and how we talk about it. Whatever the conclusion there is should be displayed in a consistent way on all platforms.

[micxjo]

A previous version of the install instructions included the warning

Note: if you're concerned about security, build from source, as either gobuilder.me or github.com could introduce vulnerabilites. We will be doing signed releases soon. Post here if you'd like this sooner.

Unsigned binaries are now being served from dist.ipfs.io over plain HTTP without any similar warning. While hopefully you will soon be able to at least link to the binaries over HTTPS (see ipfs/distributions#59), in the mean time you should consider adding a warning about the safety of the binary distribution channel, even if you haven't yet concluded what to say about the safety of the client/protocol itself.

[ghost]

(we have ssl for dist.ipfs.io now)

[micxjo]

Great! The links at https://ipfs.io/docs/install/ should be updated to use SSL.

[ghost]

Yes, I'll get to that in a bit. We have HSTS enabled so your browser should pick SSL anyway.

[jessicaschilling]

Closing this issue, as overarching security messaging is being considered in the overall docs rework over at https://github.com/ipfs/docs .