On 2020-02-25, Nick Holland <n...@holland-consulting.net> wrote: > Sorry, took a look at this a while back when I didn't have time to > fully work through it...and then forgot about it. ;-/ > > On 2020-02-12 04:34, Aham Brahmasmi wrote: >> Namaste misc, >> >> Overview: >> Certain https URLs on openbsd.org get downgraded to http in redirection. >> >> Steps: >> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a >> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. >> >> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/. > > I Google for "openbsd man", I end up with a link to > httpS://man.openbsd.org. > and it takes me to man.openbsd.org via httpS. > > I duckduckgo.com for "openbsd man", same thing. > (yay. I just used a website as a verb.) > > Google does seem to show a link for httpS://cvsweb.openbsd.org, but > tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not > and does what you would expect and hope.
Google has https://www.openbsd.org/cgi-bin/cvsweb/, not https://cvsweb.openbsd.org. > Looking at the page source for the google return, it DOES appear to > be sending the browser to http://, so everything is working as > designed. Is there a problem? Yes -- google is aware https:// > those sites exists, but doesn't actually send users to them. > > Apparently your favorite search engine does as well. Perhaps it > isn't as privacy friendly as you are thinking it is. The problem > isn't with the websites, it's with where the search engine is > sending the user. The problem *is* with the website (specifically www.openbsd.org, not man/cvsweb). It redirects the old cgi-bin URLs to http versions whatever protocol the request came in on. $ ftp -o/dev/null https://www.openbsd.org/cgi-bin/cvsweb/ Trying 129.128.5.194... Requesting https://www.openbsd.org/cgi-bin/cvsweb/ Redirected to http://cvsweb.openbsd.org/cgi-bin/cvsweb/ Trying 128.100.17.243... Requesting http://cvsweb.openbsd.org/cgi-bin/cvsweb/ 2607 bytes received in 0.01 seconds (265.55 KB/s) $ ftp -o/dev/null https://www.openbsd.org/cgi-bin/man.cgi Trying 129.128.5.194... Requesting https://www.openbsd.org/cgi-bin/man.cgi Redirected to http://man.openbsd.org/cgi-bin/man.cgi Trying 128.100.17.244... Requesting http://man.openbsd.org/cgi-bin/man.cgi 5590 bytes received in 0.00 seconds (1.55 MB/s) > You want it changed so that when someone clicks on a link, they go > somewhere OTHER than where that link sends them? I understand your > goal (everything should be HTTPS!!), but I don't really like the > idea of "click here, go elsewhere". > > Want https? great. use it. There are times when it's handy to NOT > be obsessed with https (i.e., clock is hosed on your computer). > > So ... unless some developer I really respect (which is just about > all of them1) tells me to change this, I'm not planning on > changing the behavior of the machines. I did object to http->https redirects in the past, but now the web is unusable without working https anyway and the "INSECURE openbsd.org" shown on some browsers *is* a bit of an eyesore ...
