Dear suckless folks,
On 08/31/17 11:36, ilf wrote:
Hiltjo Posthuma:
I'm not a fan of automatic http to HTTPs redirects. It would break
support for some text-based clients or some simple scripts as an example.
I'm a huge fan of these redirects. A simple 301 Moved Permanently has
been part of RFC 2616 sinde 1999 and anything not able to handle that is
broken: https://tools.ietf.org/html/rfc2616#section-10.3.2
Can you tell which clients and scripts break and how?
I understood it the way, that there might be programs not being able to
deal with TLS.
HSTS support makes sure http to https links are changed on the
client-side.
Some privacy-settings clean all states on exit, including cookes and
HSTS. And people mostly type domains into an URL bar, not protocols.
Two more options would be DNSSEC/DANE for the Web service [1] and HTTPS
Everywhere [2].
Kind regards,
Paul
[1]
https://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec
[2] https://www.eff.org/de/https-everywhere
