Namaste misc, Apologies for the reincarnation of this mail trail.
> Sent: Tuesday, February 25, 2020 at 10:40 PM > From: "Constantine A. Murenin" <muren...@gmail.com> > To: "Vincenzo Nicosia" <kato...@freaknet.org> > Cc: "Stuart Henderson" <s...@spacehopper.org>, "misc@openbsd.org" > <misc@openbsd.org> > Subject: Re: openbsd.org - certain https URLs downgraded to http in > redirection > > On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia <kato...@freaknet.org> wrote: > > > On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote: > > > > [cut] > > > > > > Want https? great. use it. There are times when it's handy to NOT > > > > be obsessed with https (i.e., clock is hosed on your computer). > > > > > > > > So ... unless some developer I really respect (which is just about > > > > all of them1) tells me to change this, I'm not planning on > > > > changing the behavior of the machines. > > > > > > I did object to http->https redirects in the past, but now the web is > > > unusable without working https anyway and the "INSECURE openbsd.org" > > > shown on some browsers *is* a bit of an eyesore ... > > > > > > > IMHO, the fact that corporates (Google) want to dictate what is secure > > and what is not, is not sufficient to force everybody on https, at all > > times. I personally don't give a toss of what Chrome thinks of a > > website and its security (maybe because I have never used Chrome or > > because I quit google searches more than 10 years ago...). > > > > There are many cases where the overhead introduced by https is really > > not worth the extra bit of confidentiality you get. And we are talking > > here of manpages (that are installed in your system anyway) and of > > system sources (that are available for download at any time, even from > > an HTTPS mirror)... > > > > Sorry for the rant, but if I type "http://bring.me.there"; I don't want > > to find myself at "https://we.brought.you.somewhere.else";. I am not a > > chimp. I know what I type in my URL box. I know what I expect. And I > > want to be able to serve content via HTTP/1.0 if I need so. > > > > Exactly. > > Folks often forget, or are blissfully unaware, that Google Search itself > still does work over both HTTP (without the S) as well as over the legacy > TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster > advice given by the Google Chrome and Mozilla teams to suppress the > minorities from being able to access the websites is hypocritical, to say > the least. /Do as I say, not as I do./ > > The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise — > many bots are still controlled by good people, used to do various useful > things, so, you're still blocking actual people from a minority class from > having access to your website. Not to mention the older phones and tablets > with hundreds of megabytes of RAM and gigabytes of storage space that were > abandoned by their creators and don't support TLSv1.2 and/or all the newest > ciphers that are deemed to be the best practice today. The sad part is > that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively > brokering the planned obsolescence of all these devices on behalf of the > respective vendors. > > C. > Current situation: https://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb What volks here thought I was asking for: https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb What my actual request is: https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb In other words, Current configuration https -> http http -> http Not Intended configuration https -> https http -> https Intended configuration https -> https http -> http Currently, requests arriving on https as well as http ports are redirected to the http port. This effectively downgrades a user-agent from https to http, which I think may not be desirable. In the intended configuration, if a request arrives on the https port, it should be redirected to the https port, and not to the http port. If a request arrives on the http port, it should continue to be redirected to the http port. This nuance is conveyed from the following line in the configuration in my request: ... listen on * port https ... In terms of httpd.conf configurations: Probable Current Configuration: server "openbsd.org" { ... listen on * port http listen on * tls port https ... location "/cgi-bin/man.cgi*" { block return 301 "http://man... ... <similarly for cvsweb et al> ... Intended Future Configuration: server "openbsd.org" { ... listen on * port http ... location "/cgi-bin/man.cgi*" { block return 301 "http://man... ... <similarly for cvsweb et al> ... server "openbsd.org" { ... listen on * tls port https ... location "/cgi-bin/man.cgi*" { block return 301 "https://man... ... <similarly for cvsweb et al> ... As elaborated above, this change intends to only affect requests which originate as https. This change does not intend to affect requests which originate as http. So, I request you to please not redirect http to https. The idea was to prevent https downgrade to http. The idea was not to enable http upgrade to https. Au contraire, I believe openbsd.org should remain fully functional on http for eternity. Looking back at my original mail, I think I could have been more clear on what I was requesting. I can understand how this came across as the request to upgrade http to https. I struggle between terseness and verbosity. My bad. Dhanyavaad, ab (P.S. - this mail is a near identical copy of my reply in an off-list conversation that got dropped because gmx has some undiagnosable bounce errors when delivering to individual inboxes.) ---------|---------|---------|---------|---------|---------|---------|--
