Sorry, took a look at this a while back when I didn't have time to fully work through it...and then forgot about it. ;-/
On 2020-02-12 04:34, Aham Brahmasmi wrote: > Namaste misc, > > Overview: > Certain https URLs on openbsd.org get downgraded to http in redirection. > > Steps: > When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a > browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. > > Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on > http://cvsweb.openbsd.org/cgi-bin/cvsweb/. I Google for "openbsd man", I end up with a link to httpS://man.openbsd.org. and it takes me to man.openbsd.org via httpS. I duckduckgo.com for "openbsd man", same thing. (yay. I just used a website as a verb.) Google does seem to show a link for httpS://cvsweb.openbsd.org, but tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not and does what you would expect and hope. Looking at the page source for the google return, it DOES appear to be sending the browser to http://, so everything is working as designed. Is there a problem? Yes -- google is aware https:// those sites exists, but doesn't actually send users to them. Apparently your favorite search engine does as well. Perhaps it isn't as privacy friendly as you are thinking it is. The problem isn't with the websites, it's with where the search engine is sending the user. You want it changed so that when someone clicks on a link, they go somewhere OTHER than where that link sends them? I understand your goal (everything should be HTTPS!!), but I don't really like the idea of "click here, go elsewhere". Want https? great. use it. There are times when it's handy to NOT be obsessed with https (i.e., clock is hosed on your computer). So ... unless some developer I really respect (which is just about all of them1) tells me to change this, I'm not planning on changing the behavior of the machines. Nick.
