Re: Browser: unwanted https instead of http

[Rick Merrill]

On 10/12/2016 2:17 PM, NoOp wrote:

On 10/11/2016 9:30 PM, Rainer Bielefeld wrote:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
ˋclick downloads - Firmwareˊ
Expected:  opens
Actual:    will
  not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Many web sites are starting to do this for you. It sounds normal to me.


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Rainer Bielefeld]

On 15.10.2016 00:02, NoOp wrote:
> perhaps Rainer can file a bug report requesting the ability 

Hello,

I will do some more research and think about that option, soon.

CU

Rainer
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Rainer Bielefeld]

On 13.10.2016 21:42, mozilla-lists.mbou...@spamgourmet.com wrote:
> You can clear SeaMonkey's memory of having seen the
> strict-transport-security header


Hello,

thanks a lot, yes, that is the root of the problem!

CU

Rainer
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/15/2016 5:12 AM, mozilla-lists.mbou...@spamgourmet.com wrote:
> NoOp wrote:
>> On 10/13/2016 12:42 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
>>> Mark Bourne wrote:
 Rainer Bielefeld wrote:
> Hi,
>
> on some (few) web pages I can not reach the linked contents because my
> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
> Theme) on German WIN7 64bit with my normal User Profile automatically
> replaces "http" in URL by "https".
>
> Example:
> 1. In Browser visit 
> 2. In page contents heading line
>  ˋclick downloads - Firmwareˊ
>  Expected:  opens
>  Actual:    will
>not open because it does not exist. So Error 404.
>
> I see that after a short moment in URL bar "http" becomes replaced by
> "https"
>
> This also happens in Safe Mode without add-ons
> No problem in a newly created User Profile.
> So this problem seems to be caused by my preferences, but I can't find
> the responsible one.

 On first trying, that didn't happen for me. Visiting
  stayed on the http: version.

 However, I then changed http: to https:, i.e.
 , and got a 404 Not Found
 page. Now, when I try going back to the http: version, it automatically
 redirects to the https: version.

 Visiting the https: version returns a strict-transport-security header.
 That indicates to the browser that, from now on, it should only access
 that pages on that domain via https:, not http:, to protect against
 attacks which attempt to force use of http:. So when you attempt to
 access the page via http:, the browser instead accesses it via https:.

 Since the site can serve the content in question via http: but not
 https:, it looks like a misconfiguration of that site's server to me -
 either it should be prepared to serve all content via https:, or it
 shouldn't send a strict-transport-security header instructing the
 browser to only use https:!
>>>
>>> I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
>>> Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0
>>> SeaMonkey/2.40
>>>
>>> You can clear SeaMonkey's memory of having seen the
>>> strict-transport-security header as follows:
>>> - Close SeaMonkey
>>> - Use a text editor to open SiteSecurityServiceState.txt from your
>>> profile folder
>>> - Search for the line containing "myvigoreu.draytek.com"
>>> - Delete that line
>>> - Save the file
>>> - Open SeaMonkey
>>> - You should now be able to visit
>>>  and see the list of downloads
>>
>> Appears that these bugs are most related:
> 
> Those bugs are indeed related to HSTS, but I believe the issue Rainer is 
> seeing is due to HSTS working correctly on the browser, but the web 
> server he's trying to access is configured such that some content is not 
> accessible via HTTPS.
> 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1123971
>> 'HSTS entry in SiteSecurityServiceState.txt blocks me from visiting site'
> 
> It appears that this one may, again, be a mistake in the server 
> configuration, this time leading to an infinite loop of redirects. 
> Although, as noted in that report, it would be nice if the browser 
> detected such a loop and displayed a useful error message rather than 
> just continuously trying to load the page.
> 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1119778
>> 'Forget about this site does not clear HSTS setting'
>>Fixes Firefox so that you can select: History|Show All History| -
>> right click on the Draytek https link and select 'Forget about this
>> site' from the dropdown. I cannot find any such option in SeaMonkey, so
>> perhaps Rainer can file a bug report requesting the ability to clear
>> sites in SiteSecurityServiceState.txt from the 'History' UI.
> 
> That would make it easier to work around the incorrectly configured 
> server, by using "forget about this site" rather than editing a 
> SiteSecurityServiceState.txt. With the incorrectly configured server, it 
> would still be necessary to repeat that workaround following any 
> subsequent visit to .
> 
> In my SeaMonkey 2.40, there is a "Forget About This Domain" option when 
> I right-click on a domain in the Data Manager. However, draytek.com 
> isn't listed there since there isn't any data managed by the Data 
> Manager associated with that domain, and I suspect it wouldn't clear the 
> HSTS data anyway. I think HSTS status used to be represented as a 
> "permission", but it was removed from there because users were confused 
> by the large number of domains 

Re: Browser: unwanted https instead of http

[mozilla-lists . mbourne]

NoOp wrote:

On 10/13/2016 12:42 PM, mozilla-lists.mbou...@spamgourmet.com wrote:

Mark Bourne wrote:

Rainer Bielefeld wrote:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:    will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.


On first trying, that didn't happen for me. Visiting
 stayed on the http: version.

However, I then changed http: to https:, i.e.
, and got a 404 Not Found
page. Now, when I try going back to the http: version, it automatically
redirects to the https: version.

Visiting the https: version returns a strict-transport-security header.
That indicates to the browser that, from now on, it should only access
that pages on that domain via https:, not http:, to protect against
attacks which attempt to force use of http:. So when you attempt to
access the page via http:, the browser instead accesses it via https:.

Since the site can serve the content in question via http: but not
https:, it looks like a misconfiguration of that site's server to me -
either it should be prepared to serve all content via https:, or it
shouldn't send a strict-transport-security header instructing the
browser to only use https:!


I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0
SeaMonkey/2.40

You can clear SeaMonkey's memory of having seen the
strict-transport-security header as follows:
- Close SeaMonkey
- Use a text editor to open SiteSecurityServiceState.txt from your
profile folder
- Search for the line containing "myvigoreu.draytek.com"
- Delete that line
- Save the file
- Open SeaMonkey
- You should now be able to visit
 and see the list of downloads


Appears that these bugs are most related:


Those bugs are indeed related to HSTS, but I believe the issue Rainer is 
seeing is due to HSTS working correctly on the browser, but the web 
server he's trying to access is configured such that some content is not 
accessible via HTTPS.



https://bugzilla.mozilla.org/show_bug.cgi?id=1123971
'HSTS entry in SiteSecurityServiceState.txt blocks me from visiting site'


It appears that this one may, again, be a mistake in the server 
configuration, this time leading to an infinite loop of redirects. 
Although, as noted in that report, it would be nice if the browser 
detected such a loop and displayed a useful error message rather than 
just continuously trying to load the page.



https://bugzilla.mozilla.org/show_bug.cgi?id=1119778
'Forget about this site does not clear HSTS setting'
   Fixes Firefox so that you can select: History|Show All History| -
right click on the Draytek https link and select 'Forget about this
site' from the dropdown. I cannot find any such option in SeaMonkey, so
perhaps Rainer can file a bug report requesting the ability to clear
sites in SiteSecurityServiceState.txt from the 'History' UI.


That would make it easier to work around the incorrectly configured 
server, by using "forget about this site" rather than editing a 
SiteSecurityServiceState.txt. With the incorrectly configured server, it 
would still be necessary to repeat that workaround following any 
subsequent visit to .


In my SeaMonkey 2.40, there is a "Forget About This Domain" option when 
I right-click on a domain in the Data Manager. However, draytek.com 
isn't listed there since there isn't any data managed by the Data 
Manager associated with that domain, and I suspect it wouldn't clear the 
HSTS data anyway. I think HSTS status used to be represented as a 
"permission", but it was removed from there because users were confused 
by the large number of domains appearing in the Data Manager with 
"permissions" they hadn't set.


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/13/2016 12:42 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
> Mark Bourne wrote:
>> Rainer Bielefeld wrote:
>>> Hi,
>>>
>>> on some (few) web pages I can not reach the linked contents because my
>>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>>> Theme) on German WIN7 64bit with my normal User Profile automatically
>>> replaces "http" in URL by "https".
>>>
>>> Example:
>>> 1. In Browser visit 
>>> 2. In page contents heading line
>>> ˋclick downloads - Firmwareˊ
>>> Expected:  opens
>>> Actual:    will
>>>   not open because it does not exist. So Error 404.
>>>
>>> I see that after a short moment in URL bar "http" becomes replaced by
>>> "https"
>>>
>>> This also happens in Safe Mode without add-ons
>>> No problem in a newly created User Profile.
>>> So this problem seems to be caused by my preferences, but I can't find
>>> the responsible one.
>>
>> On first trying, that didn't happen for me. Visiting
>>  stayed on the http: version.
>>
>> However, I then changed http: to https:, i.e.
>> , and got a 404 Not Found
>> page. Now, when I try going back to the http: version, it automatically
>> redirects to the https: version.
>>
>> Visiting the https: version returns a strict-transport-security header.
>> That indicates to the browser that, from now on, it should only access
>> that pages on that domain via https:, not http:, to protect against
>> attacks which attempt to force use of http:. So when you attempt to
>> access the page via http:, the browser instead accesses it via https:.
>>
>> Since the site can serve the content in question via http: but not
>> https:, it looks like a misconfiguration of that site's server to me -
>> either it should be prepared to serve all content via https:, or it
>> shouldn't send a strict-transport-security header instructing the
>> browser to only use https:!
> 
> I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
> Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0 
> SeaMonkey/2.40
> 
> You can clear SeaMonkey's memory of having seen the 
> strict-transport-security header as follows:
> - Close SeaMonkey
> - Use a text editor to open SiteSecurityServiceState.txt from your 
> profile folder
> - Search for the line containing "myvigoreu.draytek.com"
> - Delete that line
> - Save the file
> - Open SeaMonkey
> - You should now be able to visit 
>  and see the list of downloads

Appears that these bugs are most related:

https://bugzilla.mozilla.org/show_bug.cgi?id=1123971
'HSTS entry in SiteSecurityServiceState.txt blocks me from visiting site'

https://bugzilla.mozilla.org/show_bug.cgi?id=1119778
'Forget about this site does not clear HSTS setting'
  Fixes Firefox so that you can select: History|Show All History| -
right click on the Draytek https link and select 'Forget about this
site' from the dropdown. I cannot find any such option in SeaMonkey, so
perhaps Rainer can file a bug report requesting the ability to clear
sites in SiteSecurityServiceState.txt from the 'History' UI.

> 
> If at any time you visit anything under 
> , SeaMonkey will get the 
> strict-transport-security header again and from then on only access that 
> domain via https:.
> 

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/14/2016 01:07 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
> NoOp wrote:
>>> Mark Bourne wrote:
 Rainer Bielefeld wrote:
> Hi,
>
> on some (few) web pages I can not reach the linked contents because my
> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
> Theme) on German WIN7 64bit with my normal User Profile automatically
> replaces "http" in URL by "https".
>
> Example:
> 1. In Browser visit 
> 2. In page contents heading line
>  ˋclick downloads - Firmwareˊ
>  Expected:  opens
>  Actual:    will
>not open because it does not exist. So Error 404.
>
> I see that after a short moment in URL bar "http" becomes replaced by
> "https"
>
> This also happens in Safe Mode without add-ons
> No problem in a newly created User Profile.
> So this problem seems to be caused by my preferences, but I can't find
> the responsible one.

 On first trying, that didn't happen for me. Visiting
  stayed on the http: version.

 However, I then changed http: to https:, i.e.
 , and got a 404 Not Found
 page. Now, when I try going back to the http: version, it automatically
 redirects to the https: version.

 Visiting the https: version returns a strict-transport-security header.
 That indicates to the browser that, from now on, it should only access
 that pages on that domain via https:, not http:, to protect against
 attacks which attempt to force use of http:. So when you attempt to
 access the page via http:, the browser instead accesses it via https:.

 Since the site can serve the content in question via http: but not
 https:, it looks like a misconfiguration of that site's server to me -
 either it should be prepared to serve all content via https:, or it
 shouldn't send a strict-transport-security header instructing the
 browser to only use https:!
>>
>> Here's somthing interesting/odd: I was experimenting with the url &
>> found that if you enter  it will
>> redirect to 
>> which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera
>> (Windows 2.46).
>> And now if I go to  I can select
>> Download|Firmware and it brings up a proper download page (again tested
>> in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)).
> 
> That's true, but  is not the same as 
> , and Download > Firmware links to a different 
> domain (www.draytek.com. rather than myvigoreu.draytek.com.).
> 
> Download > Firmware from  links to 
>  which. If you've previously 
> visited anything under  and got the 
> strict-transport-security header, accessing that URL leads to SeaMonkey 
> (correctly) loading  
> instead, and that returns a 404 Not Found error. The server at 
> myvigoreu.draytek.com. is basically informing clients that they should 
> only use HTTPS, yet there is some content which it serves only via HTTP 
> and not via HTTPS.
> 

Thanks Mark, I was just pointing out some of the odd link behaviour on
the site

 if you enter  it will
redirect to 
which is the 'Draytek File Server'.

I probably should have pointed out that the link to draytek.com was from
my clicking the 'Draytek Corp' link at the bottom of the file server page.

Gary

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[mozilla-lists . mbourne]

NoOp wrote:

Mark Bourne wrote:

Rainer Bielefeld wrote:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:    will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.


On first trying, that didn't happen for me. Visiting
 stayed on the http: version.

However, I then changed http: to https:, i.e.
, and got a 404 Not Found
page. Now, when I try going back to the http: version, it automatically
redirects to the https: version.

Visiting the https: version returns a strict-transport-security header.
That indicates to the browser that, from now on, it should only access
that pages on that domain via https:, not http:, to protect against
attacks which attempt to force use of http:. So when you attempt to
access the page via http:, the browser instead accesses it via https:.

Since the site can serve the content in question via http: but not
https:, it looks like a misconfiguration of that site's server to me -
either it should be prepared to serve all content via https:, or it
shouldn't send a strict-transport-security header instructing the
browser to only use https:!


Here's somthing interesting/odd: I was experimenting with the url &
found that if you enter  it will
redirect to 
which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera
(Windows 2.46).
And now if I go to  I can select
Download|Firmware and it brings up a proper download page (again tested
in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)).


That's true, but  is not the same as 
, and Download > Firmware links to a different 
domain (www.draytek.com. rather than myvigoreu.draytek.com.).


Download > Firmware from  links to 
 which. If you've previously 
visited anything under  and got the 
strict-transport-security header, accessing that URL leads to SeaMonkey 
(correctly) loading  
instead, and that returns a 404 Not Found error. The server at 
myvigoreu.draytek.com. is basically informing clients that they should 
only use HTTPS, yet there is some content which it serves only via HTTP 
and not via HTTPS.


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/13/2016 12:42 PM, mozilla-lists.mbou...@spamgourmet.com wrote:
> Mark Bourne wrote:
>> Rainer Bielefeld wrote:
>>> Hi,
>>>
>>> on some (few) web pages I can not reach the linked contents because my
>>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>>> Theme) on German WIN7 64bit with my normal User Profile automatically
>>> replaces "http" in URL by "https".
>>>
>>> Example:
>>> 1. In Browser visit 
>>> 2. In page contents heading line
>>> ˋclick downloads - Firmwareˊ
>>> Expected:  opens
>>> Actual:    will
>>>   not open because it does not exist. So Error 404.
>>>
>>> I see that after a short moment in URL bar "http" becomes replaced by
>>> "https"
>>>
>>> This also happens in Safe Mode without add-ons
>>> No problem in a newly created User Profile.
>>> So this problem seems to be caused by my preferences, but I can't find
>>> the responsible one.
>>
>> On first trying, that didn't happen for me. Visiting
>>  stayed on the http: version.
>>
>> However, I then changed http: to https:, i.e.
>> , and got a 404 Not Found
>> page. Now, when I try going back to the http: version, it automatically
>> redirects to the https: version.
>>
>> Visiting the https: version returns a strict-transport-security header.
>> That indicates to the browser that, from now on, it should only access
>> that pages on that domain via https:, not http:, to protect against
>> attacks which attempt to force use of http:. So when you attempt to
>> access the page via http:, the browser instead accesses it via https:.
>>
>> Since the site can serve the content in question via http: but not
>> https:, it looks like a misconfiguration of that site's server to me -
>> either it should be prepared to serve all content via https:, or it
>> shouldn't send a strict-transport-security header instructing the
>> browser to only use https:!
> 
> I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
> Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0 
> SeaMonkey/2.40
> 
> You can clear SeaMonkey's memory of having seen the 
> strict-transport-security header as follows:
> - Close SeaMonkey
> - Use a text editor to open SiteSecurityServiceState.txt from your 
> profile folder
> - Search for the line containing "myvigoreu.draytek.com"
> - Delete that line
> - Save the file
> - Open SeaMonkey
> - You should now be able to visit 
>  and see the list of downloads
> 
> If at any time you visit anything under 
> , SeaMonkey will get the 
> strict-transport-security header again and from then on only access that 
> domain via https:.
> 

Here's somthing interesting/odd: I was experimenting with the url &
found that if you enter  it will
redirect to 
which is the 'Draytek File Server'. Tested in Firefox, Chrome & Opera
(Windows 2.46).
And now if I go to  I can select
Download|Firmware and it brings up a proper download page (again tested
in SeaMonkey 2.46, Firefox, Chrome, Opera (Windows)).

Please see if you get the same.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[mozilla-lists . mbourne]

Mark Bourne wrote:

Rainer Bielefeld wrote:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
ˋclick downloads - Firmwareˊ
Expected:  opens
Actual:    will
  not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.


On first trying, that didn't happen for me. Visiting
 stayed on the http: version.

However, I then changed http: to https:, i.e.
, and got a 404 Not Found
page. Now, when I try going back to the http: version, it automatically
redirects to the https: version.

Visiting the https: version returns a strict-transport-security header.
That indicates to the browser that, from now on, it should only access
that pages on that domain via https:, not http:, to protect against
attacks which attempt to force use of http:. So when you attempt to
access the page via http:, the browser instead accesses it via https:.

Since the site can serve the content in question via http: but not
https:, it looks like a misconfiguration of that site's server to me -
either it should be prepared to serve all content via https:, or it
shouldn't send a strict-transport-security header instructing the
browser to only use https:!


I should have mentioned I was using SeaMonkey 2.40 on Windows Vista:
Mozilla/5.0 (Windows NT 6.0; rv:43.0) Gecko/20100101 Firefox/43.0 
SeaMonkey/2.40


You can clear SeaMonkey's memory of having seen the 
strict-transport-security header as follows:

- Close SeaMonkey
- Use a text editor to open SiteSecurityServiceState.txt from your 
profile folder

- Search for the line containing "myvigoreu.draytek.com"
- Delete that line
- Save the file
- Open SeaMonkey
- You should now be able to visit 
 and see the list of downloads


If at any time you visit anything under 
, SeaMonkey will get the 
strict-transport-security header again and from then on only access that 
domain via https:.


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[mozilla-lists . mbourne]

Rainer Bielefeld wrote:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
ˋclick downloads - Firmwareˊ
Expected:  opens
Actual:    will
  not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.


On first trying, that didn't happen for me. Visiting 
 stayed on the http: version.


However, I then changed http: to https:, i.e. 
, and got a 404 Not Found 
page. Now, when I try going back to the http: version, it automatically 
redirects to the https: version.


Visiting the https: version returns a strict-transport-security header. 
That indicates to the browser that, from now on, it should only access 
that pages on that domain via https:, not http:, to protect against 
attacks which attempt to force use of http:. So when you attempt to 
access the page via http:, the browser instead accesses it via https:.


Since the site can serve the content in question via http: but not 
https:, it looks like a misconfiguration of that site's server to me - 
either it should be prepared to serve all content via https:, or it 
shouldn't send a strict-transport-security header instructing the 
browser to only use https:!


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/13/2016 2:42 AM, Ray_Net wrote:
> NoOp wrote on 13/10/2016 00:44:
...
>>>
>> I can't reproduce in linux 2.46:
>> User agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101
>> Firefox/49.0 SeaMonkey/2.46
>> Build identifier: 20160922144825
>> but can in Windows (see my other post in this thread).
>> The prefs.js file for the linux client and the Windows client were
>> identical -
>>I even went through the Win prefs.js and cleaned out all the left over
>> crap entries from 'HTTPS Everywere' (extensions.https_everywhere.*) and
>> still can reproduce on the Windows client. I left them in in the linux
>> client.
>>
>> So, I'm stumpted :-(
>>
>> In the interim, Rainer can go to the ftp directory to download:
>> ftp://ftp.draytek.com/
>> (or try Chrome).
>>
>>
>>
>>
> Have you tried to clear the cache ?
> 

Yes.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Ray_Net]

NoOp wrote on 13/10/2016 00:44:

On 10/12/2016 01:05 PM, WaltS48 wrote:

On 10/12/2016 10:47 AM, Paul B. Gallagher wrote:

Ray_Net wrote:

Paul B. Gallagher wrote on 12/10/2016 15:09:

Lee wrote:

On 10/12/16, Paul B. Gallagher  wrote:

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents
because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
  ˋclick downloads - Firmwareˊ
  Expected:  opens
  Actual:  will
not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

Unable to reproduce. I just get the requested directory of
downloadable
files. Waited 13 minutes, no switch to https.

A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com

True enough, but this one didn't.

As Bret noted, this redirection is probably some feature of the site,
and not of SeaMonkey.


If it's the site  Could you explain why ONLY Rainer Bielefeld  have
the problem ?

I can't, hence the "probably."

On the other hand, I can't think of any reason why SM would alter a URL.



It's SeaMonkey 2.46, based on Gecko 52.0 which has changes to it that
redirects http to https pages, if they exist?

No idea why it doesn't in a new profile, other than there are no changes
and his production profile is corrupt.


I can't reproduce in linux 2.46:
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101
Firefox/49.0 SeaMonkey/2.46
Build identifier: 20160922144825
but can in Windows (see my other post in this thread).
The prefs.js file for the linux client and the Windows client were
identical -
   I even went through the Win prefs.js and cleaned out all the left over
crap entries from 'HTTPS Everywere' (extensions.https_everywhere.*) and
still can reproduce on the Windows client. I left them in in the linux
client.

So, I'm stumpted :-(

In the interim, Rainer can go to the ftp directory to download:
ftp://ftp.draytek.com/
(or try Chrome).





Have you tried to clear the cache ?
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/12/2016 01:05 PM, WaltS48 wrote:
> On 10/12/2016 10:47 AM, Paul B. Gallagher wrote:
>> Ray_Net wrote:
>>> Paul B. Gallagher wrote on 12/10/2016 15:09:
 Lee wrote:
> On 10/12/16, Paul B. Gallagher  wrote:
>> Rainer Bielefeld wrote:
>>
>>> Hi,
>>>
>>> on some (few) web pages I can not reach the linked contents 
>>> because my
>>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>>> Theme) on German WIN7 64bit with my normal User Profile automatically
>>> replaces "http" in URL by "https".
>>>
>>> Example:
>>> 1. In Browser visit 
>>> 2. In page contents heading line
>>>  ˋclick downloads - Firmwareˊ
>>>  Expected:  opens
>>>  Actual:  will
>>>not open because it does not exist. So Error 404.
>>>
>>> I see that after a short moment in URL bar "http" becomes replaced by
>>> "https"
>>
>> Unable to reproduce. I just get the requested directory of 
>> downloadable
>> files. Waited 13 minutes, no switch to https.
>
> A lot of sites automatically redirect you to the https version of
> their site, like google.
> http://www.google.com  redirects to  https://www.google.com

 True enough, but this one didn't.

 As Bret noted, this redirection is probably some feature of the site,
 and not of SeaMonkey.

>>> If it's the site  Could you explain why ONLY Rainer Bielefeld  have
>>> the problem ?
>> 
>> I can't, hence the "probably."
>> 
>> On the other hand, I can't think of any reason why SM would alter a URL.
>> 
> 
> 
> It's SeaMonkey 2.46, based on Gecko 52.0 which has changes to it that 
> redirects http to https pages, if they exist?
> 
> No idea why it doesn't in a new profile, other than there are no changes 
> and his production profile is corrupt.
> 

I can't reproduce in linux 2.46:
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101
Firefox/49.0 SeaMonkey/2.46
Build identifier: 20160922144825
but can in Windows (see my other post in this thread).
The prefs.js file for the linux client and the Windows client were
identical -
  I even went through the Win prefs.js and cleaned out all the left over
crap entries from 'HTTPS Everywere' (extensions.https_everywhere.*) and
still can reproduce on the Windows client. I left them in in the linux
client.

So, I'm stumpted :-(

In the interim, Rainer can go to the ftp directory to download:
ftp://ftp.draytek.com/
(or try Chrome).




___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Ray_Net]

Rainer Bielefeld wrote on 12/10/2016 06:30:

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
ˋclick downloads - Firmwareˊ
Expected:  opens
Actual:    will
  not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.

Any ideas?

Best Regards

Rainer

Have you tried to clear the cache ?
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[WaltS48]

On 10/12/2016 10:47 AM, Paul B. Gallagher wrote:

Ray_Net wrote:

Paul B. Gallagher wrote on 12/10/2016 15:09:

Lee wrote:

On 10/12/16, Paul B. Gallagher  wrote:

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents 
because my

unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:  will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Unable to reproduce. I just get the requested directory of 
downloadable

files. Waited 13 minutes, no switch to https.


A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com


True enough, but this one didn't.

As Bret noted, this redirection is probably some feature of the site,
and not of SeaMonkey.


If it's the site  Could you explain why ONLY Rainer Bielefeld  have
the problem ?


I can't, hence the "probably."

On the other hand, I can't think of any reason why SM would alter a URL.




It's SeaMonkey 2.46, based on Gecko 52.0 which has changes to it that 
redirects http to https pages, if they exist?


No idea why it doesn't in a new profile, other than there are no changes 
and his production profile is corrupt.


--
Visit Pittsburgh 
Ubuntu 16.04.1 LTS
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[NoOp]

On 10/11/2016 9:30 PM, Rainer Bielefeld wrote:
> Hi,
> 
> on some (few) web pages I can not reach the linked contents because my
> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
> Theme) on German WIN7 64bit with my normal User Profile automatically
> replaces "http" in URL by "https".
> 
> Example:
> 1. In Browser visit 
> 2. In page contents heading line
>ˋclick downloads - Firmwareˊ
>Expected:  opens
>Actual:    will
>  not open because it does not exist. So Error 404.
> 
> I see that after a short moment in URL bar "http" becomes replaced by
> "https"
> 
> This also happens in Safe Mode without add-ons
> No problem in a newly created User Profile.
> So this problem seems to be caused by my preferences, but I can't find
> the responsible one.
> 
> Any ideas?
> 
> Best Regards
> 
> Rainer
> 

Redirect for me in 2.46 Windows. However, I also get the same with
Firefox 50.0b6, and Opera 40.02. I do not get the redirect in Chrome 53.0.2x
In Opera I got a onetime redirect to DrayTek's home page:
https://myvigor.draytek.com/HomePage/main.php
So it could very well be site related?

Note: I even uninstalled 'HTTPS Everywhere' in Opera just in case - it
wasn't installed in Firefox, so nothing to remove.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Paul B. Gallagher]

Ray_Net wrote:

Paul B. Gallagher wrote on 12/10/2016 15:09:

Lee wrote:

On 10/12/16, Paul B. Gallagher  wrote:

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:  will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Unable to reproduce. I just get the requested directory of downloadable
files. Waited 13 minutes, no switch to https.


A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com


True enough, but this one didn't.

As Bret noted, this redirection is probably some feature of the site,
and not of SeaMonkey.


If it's the site  Could you explain why ONLY Rainer Bielefeld  have
the problem ?


I can't, hence the "probably."

On the other hand, I can't think of any reason why SM would alter a URL.

--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Ray_Net]

Paul B. Gallagher wrote on 12/10/2016 15:09:

Lee wrote:

On 10/12/16, Paul B. Gallagher  wrote:

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:  will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Unable to reproduce. I just get the requested directory of downloadable
files. Waited 13 minutes, no switch to https.


A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com


True enough, but this one didn't.

As Bret noted, this redirection is probably some feature of the site, 
and not of SeaMonkey.


If it's the site  Could you explain why ONLY Rainer Bielefeld  have 
the problem ?

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Paul B. Gallagher]

Lee wrote:

On 10/12/16, Paul B. Gallagher  wrote:

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
 ˋclick downloads - Firmwareˊ
 Expected:  opens
 Actual:    will
   not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Unable to reproduce. I just get the requested directory of downloadable
files. Waited 13 minutes, no switch to https.


A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com


True enough, but this one didn't.

As Bret noted, this redirection is probably some feature of the site, 
and not of SeaMonkey.


--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Lee]

On 10/12/16, Paul B. Gallagher  wrote:
> Rainer Bielefeld wrote:
>
>> Hi,
>>
>> on some (few) web pages I can not reach the linked contents because my
>> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
>> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
>> Theme) on German WIN7 64bit with my normal User Profile automatically
>> replaces "http" in URL by "https".
>>
>> Example:
>> 1. In Browser visit 
>> 2. In page contents heading line
>> ˋclick downloads - Firmwareˊ
>> Expected:  opens
>> Actual:    will
>>   not open because it does not exist. So Error 404.
>>
>> I see that after a short moment in URL bar "http" becomes replaced by
>> "https"
>
> Unable to reproduce. I just get the requested directory of downloadable
> files. Waited 13 minutes, no switch to https.

A lot of sites automatically redirect you to the https version of
their site, like google.
http://www.google.com  redirects to  https://www.google.com

Regards,
Lee
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Paul B. Gallagher]

Rainer Bielefeld wrote:


Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
ˋclick downloads - Firmwareˊ
Expected:  opens
Actual:    will
  not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"


Unable to reproduce. I just get the requested directory of downloadable 
files. Waited 13 minutes, no switch to https.


--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Browser: unwanted https instead of http

[Bret Busby]

On 12/10/2016, Rainer Bielefeld  wrote:
> Hi,
>
> on some (few) web pages I can not reach the linked contents because my
> unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
> Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
> Theme) on German WIN7 64bit with my normal User Profile automatically
> replaces "http" in URL by "https".
>
> Example:
> 1. In Browser visit 
> 2. In page contents heading line
>ˋclick downloads - Firmwareˊ
>Expected:  opens
>Actual:    will
>  not open because it does not exist. So Error 404.
>
> I see that after a short moment in URL bar "http" becomes replaced by
> "https"
>
> This also happens in Safe Mode without add-ons
> No problem in a newly created User Profile.
> So this problem seems to be caused by my preferences, but I can't find
> the responsible one.
>
> Any ideas?
>
> Best Regards
>
> Rainer
> ___
> support-seamonkey mailing list
> support-seamonkey@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-seamonkey
>


Hello.

It is my understanding, and, I accept correction, if I am wrong, that
many web sites have been changed to https, for the sake of web site
security; to try to prevent their web sites from being breached and
malicious material being inserted on their web sites.

From what I understand, the changing to https, has nothing to do with
the web browser being used (although, I have found that some of the
web browsers that I use, have problems with https, or, with some https
web sites), but, is instead, solely the intent of the web site
developers and maintainers.

As I stated, I stand to be corrected, if I am wrong.

-- 

Bret Busby
Armadale
West Australia

..

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Browser: unwanted https instead of http

[Rainer Bielefeld]

Hi,

on some (few) web pages I can not reach the linked contents because my
unofficial en-US SeaMonkey 2.49a1  (NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0 Build 20160930004545  (Default Classic
Theme) on German WIN7 64bit with my normal User Profile automatically
replaces "http" in URL by "https".

Example:
1. In Browser visit 
2. In page contents heading line
   ˋclick downloads - Firmwareˊ
   Expected:  opens
   Actual:    will
 not open because it does not exist. So Error 404.

I see that after a short moment in URL bar "http" becomes replaced by
"https"

This also happens in Safe Mode without add-ons
No problem in a newly created User Profile.
So this problem seems to be caused by my preferences, but I can't find
the responsible one.

Any ideas?

Best Regards

Rainer
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey