Re: [OSM-talk] HTTPS all the Things (Automated Edit)

For example https://openstreetmap.org/changeset/68527117 changed just one feature, there were about 20 other changes all in the same city, maybe the script has run it's course now I don't know, it's just lots of small changesets clog up osmcha making it harder to skip over them in bulk. On Tue,

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Is this a problem that only a few are concerned with? Can I get a geographic area where I can run a larger number of changes in a larger bounding box? I could easily make some one-off changes on a per country basis if that would help. And would fewer changesets of, say, 100 objects be a good

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

And from my side - avoid making changesets with more than 1000 objects. Reverting changesets that went wrong, with tens of thousands modified objects is basically not making possible to review it. Mar 26, 2019, 12:41 AM by andrew.harv...@gmail.com: > Any chance you could do more changes per

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Any chance you could do more changes per changeset? At the moment this is flooding feeds in osmcha with many small changesets, it would be easier if you did one big changeset. On Fri, 22 Feb 2019 at 18:05, Bryce Jasmer wrote: > I have written a script that will search for OSM objects that have

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Thanks for pointing that out. I have fixed it by redirecting between the two pages. On Fri, Mar 8, 2019 at 4:28 AM Michael Reichert wrote: > Hi Bryce, > > Am 22/02/2019 um 08.02 schrieb Bryce Jasmer: > > The wiki page is > https://wiki.openstreetmap.org/wiki/Automated_Edits/b-jazz > > I have

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi Bryce, Am 22/02/2019 um 08.02 schrieb Bryce Jasmer: > The wiki page is https://wiki.openstreetmap.org/wiki/Automated_Edits/b-jazz I have seen that you started uploading. Could you please add a link to that wiki page to the profile page of b-jazz-bot or create

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Feb 27, 2019, 3:08 PM by a...@pigsonthewing.org.uk: > On Fri, 22 Feb 2019 at 07:02, Bryce Jasmer <> br...@jasmer.com > > > wrote: > >> I welcome your input. >> > > P.S. It would also be worth considering extending or adapting the > code, so that if an error like 404

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On Fri, 22 Feb 2019 at 07:02, Bryce Jasmer wrote: > I welcome your input. P.S. It would also be worth considering extending or adapting the code, so that if an error like 404 is found, or a timeout occurs, then either: * a fixme tag, or note, is created * an entry is made on a wiki page or

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On Fri, 22 Feb 2019 at 07:02, Bryce Jasmer wrote: > I have written a script that will search for OSM objects that > have a website tag that explicitly states "http://...; or implicitly > uses http by leaving of the protocol specification. The script > will then loop through all that it discovers

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Feb 26, 2019, 3:05 PM by frede...@remote.org: > But I struggle to find any problems with the suggestion, other than my > general reservation against any automated edit - it will make the object > "look fresh" when indeed it hasn't been touched. > Would you also oppose to human manually checking

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Feb 26, 2019, 2:45 PM by iknowjos...@gmail.com: > I can see in the comments of your diary entry that you were told about HSTS > recently. I'm not trying to be offensive, but that shows you're not a HTTPS / > web security expert. Do you really think you're the person to be making world > wide

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

In this case there are two things - motivation for spending time on edit and effects of actual changes. Motivation is not really important - it is not important whatever someone loves letter s or wants to improve security (and even if security is improved there was no point in mentioning it).

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 26/02/2019 14:29, Bryce Jasmer wrote: In that situation, the admin wouldn’t redirect all of their traffic to their test site with a potentially broken cert. I've seen exactly that happen a number of times... Best Regards, Andy ___ talk

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2/26/2019 10:58 AM, Michael Reichert wrote: Hi Bryce, Do you have any safeguards against POIs which do not exist any more and whose domains are owned by domain sellers now? They often have a very basic website with a message like "This domain is for sale." and some advertisement. I would not

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2/26/2019 8:45 AM, Joseph Reeves wrote: I can't see the security risk you're trying to protect against. We are looking at applications that use OSM data and will refer users to third party websites; what is the risk of a malicious user MiTM'ing a http request to a restaurant website (for

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2019-02-26 6:05 a.m., Frederik Ramm wrote: Hi, when I first read about this planned edit, I was critical too; I thought, "ah, another eager youngster wanting to make the world a more secure place by telling everyone else how they ought to conduct their business". But if I haven't totally

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi Bryce, Am 22/02/2019 um 08.02 schrieb Bryce Jasmer: > I have written a script that will search for OSM objects that have a > website tag that explicitly states "http://...; or implicitly uses http by > leaving of the protocol specification. The script will then loop through > all that it

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

James, I’m not following you. Can you expand on what changes you assume the bot will be making, and what the “horribly wrong” event as a result of said changes? I think you’re leaving out a piece of the puzzle and I’m not sure what it is. Thanks. On Tue, Feb 26, 2019 at 6:46 AM James wrote: >

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

I can give an example of this going horribly wrong: http://www.osmcanada.ca redirects to https://www.osmcanada.ca but I specifically disabled https on http://tasks.osmcanada.ca (hosted on same server) because josm doesnt play nice with https task manager Web admins will redirect their traffic

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi Rory, Sure, so my point is: If someone wants to encourage https adoption in the wider world, the OSM database is not the place to do it. Security mechanisms exist for website operators to implement if they so desire, and they may need help making the most appropriate decisions. Cheers, Joseph

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

The HSTS discussion is completely orthogonal to what the stated goal is and any further discussion on it is really just muddying the waters. HSTS comes into play after the user is already visiting over https. If I’m mistaken, please help me understand. On Tue, Feb 26, 2019 at 6:30 AM Rory McCann

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

In that situation, the admin wouldn’t redirect all of their traffic to their test site with a potentially broken cert. The bot will only modify objects where the admin is specifically redirecting traffic already. It makes no assumptions. The scope is very limited for this exact reason. It will NOT

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 26/02/2019 14:45, Joseph Reeves wrote: As an aside, HSTS is interesting here because the website operator is saying "only use this domain over https", but at that point, we don't need to make changes to the database because the web client should be aware of the HSTS preload list; the protocol

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi, when I first read about this planned edit, I was critical too; I thought, "ah, another eager youngster wanting to make the world a more secure place by telling everyone else how they ought to conduct their business". But if I haven't totally misunderstood this, then the proposal will only

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

This certificate question from Andy is a good one, and is the final reason I'm emailing to say I would vote against this proposed edit: 1. I can't see the security risk you're trying to protect against. We are looking at applications that use OSM data and will refer users to third party

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 26/02/2019 12:34, Bryce Jasmer wrote: Correct. No change will be made on anything other than the most straightforward of redirects. So even http://example.com -> https://example.com/home.aspx will be ignored. What about certificate checking? Suppose someone primarily uses http:// for

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Crossing country border is OK for me. Problem is when one edit object is in say Moscow and second just across Bering Strait resulting in edit bounding box going across entire continent. In my bots I use 0.1 degrees as max size of bounding box in both latitute and longuitude, except cases where

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

How would you feel about bounding boxes that cross country borders but are 3 geohash digits or smaller? (Sorry I cant give you an example at the moment, the power has been out so I can’t access tools on my computer.) I’m not sure what your definition of enormous is and what would be an acceptable

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

In that case this mechanical edit makes sense for me (as long as edits will not create enormous bounding boxes due to grouping edits across country in one edit) Feb 26, 2019, 1:34 PM by br...@jasmer.com: > Correct. No change will be made on anything other than the most > straightforward of

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Correct. No change will be made on anything other than the most straightforward of redirects. So even http://example.com -> https://example.com/home.aspx will be ignored. On Tue, Feb 26, 2019 at 4:23 AM Frederik Ramm wrote: > Hi, > > On 26.02.19 12:47, Mateusz Konieczny wrote: > > So when

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi, On 26.02.19 12:47, Mateusz Konieczny wrote: > So when http://domainname.com redirects to > https://some-other-domainname.com > no edit will be made, right? The logic for this appears to be here

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Feb 22, 2019, 8:02 AM by br...@jasmer.com: > I have written a script that will search for OSM objects that have a website > tag that explicitly states "http://...; or implicitly uses http by leaving of > the protocol specification. The script will then loop through all that it > discovers and

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2/22/2019 3:48 PM, Mike N wrote: On 2/22/2019 3:36 PM, Jmapb wrote: IMO the value of an automated edit when there's already a redirect in place is minimal enough that I don't think it justifies bumping the version and modification date. Just my opinion.   The value of the automated edit

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2/22/2019 3:36 PM, Jmapb wrote: IMO the value of an automated edit when there's already a redirect in place is minimal enough that I don't think it justifies bumping the version and modification date. Just my opinion. The value of the automated edit is that there is a small improvement

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

On 2/22/2019 2:02 AM, Bryce Jasmer wrote: I have written a script that will search for OSM objects that have a website tag that explicitly states "http://...; or implicitly uses http by leaving of the protocol specification. The script will then loop through all that it discovers and asks the

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Good point Stephan about protocol-less urls being left to the "browser" using the same protocol as it is currently using. But I think my approach is pretty sound in that I'll only update the value if there is a redirect from http to https. I did a sample of a dozen websites that don't redirect and

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

s basically you copied this? https://www.eff.org/https-everywhere On Fri., Feb. 22, 2019, 2:05 a.m. Bryce Jasmer, wrote: > I have written a script that will search for OSM objects that have a > website tag that explicitly states "http://...; or implicitly uses http > by leaving of the

Re: [OSM-talk] HTTPS all the Things (Automated Edit)

Hi, Please be aware that protocol independent URLs do not mean that http is used. The client will simply continue using the protocol it used before. Real need for that is quite limited. So in most cases they are better written as https. But it then needs to be changed where the URL is used

[OSM-talk] HTTPS all the Things (Automated Edit)

I have written a script that will search for OSM objects that have a website tag that explicitly states "http://...; or implicitly uses http by leaving of the protocol specification. The script will then loop through all that it discovers and asks the http site if it will redirect me to the secure