On Thu, Aug 31, 2017 at 11:42:51AM +0200, Paul Menzel wrote: > Dear suckless folks, > > > On 08/31/17 11:36, ilf wrote: > > Hiltjo Posthuma: > > > I'm not a fan of automatic http to HTTPs redirects. It would break > > > support for some text-based clients or some simple scripts as an > > > example. > > > > I'm a huge fan of these redirects. A simple 301 Moved Permanently has > > been part of RFC 2616 sinde 1999 and anything not able to handle that is > > broken: https://tools.ietf.org/html/rfc2616#section-10.3.2 > > > > Can you tell which clients and scripts break and how? > > I understood it the way, that there might be programs not being able to deal > with TLS. >
Indeed thats what I meant. > > > HSTS support makes sure http to https links are changed on the > > > client-side. > > > > Some privacy-settings clean all states on exit, including cookes and > > HSTS. And people mostly type domains into an URL bar, not protocols. > > Two more options would be DNSSEC/DANE for the Web service [1] and HTTPS > Everywhere [2]. > I agree or just a simple HTTPs browser bookmark. I think thats better on many levels, for example otherwise someone can also spoof a plain HTTP redirect. -- Kind regards, Hiltjo
