On 2020-02-25, Nick Holland <n...@holland-consulting.net> wrote:
> Sorry, took a look at this a while back when I didn't have time to
> fully work through it...and then forgot about it. ;-/
> On 2020-02-12 04:34, Aham Brahmasmi wrote:
>> Namaste misc,
>> Overview:
>> Certain https URLs on openbsd.org get downgraded to http in redirection.
>> Steps:
>> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
>> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
> I Google for "openbsd man", I end up with a link to 
> httpS://man.openbsd.org.
> and it takes me to man.openbsd.org via httpS.
> I duckduckgo.com for "openbsd man", same thing.
> (yay.  I just used a website as a verb.)
> Google does seem to show a link for httpS://cvsweb.openbsd.org, but
> tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not
> and does what you would expect and hope.

Google has https://www.openbsd.org/cgi-bin/cvsweb/, not

> Looking at the page source for the google return, it DOES appear to
> be sending the browser to http://, so everything is working as
> designed.  Is there a problem?  Yes -- google is aware https:// 
> those sites exists, but doesn't actually send users to them.
> Apparently your favorite search engine does as well.  Perhaps it
> isn't as privacy friendly as you are thinking it is.  The problem
> isn't with the websites, it's with where the search engine is 
> sending the user.

The problem *is* with the website (specifically www.openbsd.org, not
man/cvsweb). It redirects the old cgi-bin URLs to http versions whatever
protocol the request came in on.

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/cvsweb/
Requesting https://www.openbsd.org/cgi-bin/cvsweb/
Redirected to http://cvsweb.openbsd.org/cgi-bin/cvsweb/
Requesting http://cvsweb.openbsd.org/cgi-bin/cvsweb/
2607 bytes received in 0.01 seconds (265.55 KB/s)

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/man.cgi
Requesting https://www.openbsd.org/cgi-bin/man.cgi
Redirected to http://man.openbsd.org/cgi-bin/man.cgi
Requesting http://man.openbsd.org/cgi-bin/man.cgi
5590 bytes received in 0.00 seconds (1.55 MB/s)

> You want it changed so that when someone clicks on a link, they go
> somewhere OTHER than where that link sends them?  I understand your
> goal (everything should be HTTPS!!), but I don't really like the
> idea of "click here, go elsewhere".
> Want https? great. use it.  There are times when it's handy to NOT
> be obsessed with https (i.e., clock is hosed on your computer).  
> So ... unless some developer I really respect (which is just about
> all of them1) tells me to change this, I'm not planning on
> changing the behavior of the machines.

I did object to http->https redirects in the past, but now the web is
unusable without working https anyway and the "INSECURE openbsd.org"
shown on some browsers *is* a bit of an eyesore ...

Reply via email to