Re: openbsd.org - certain https URLs downgraded to http in redirection

[Ingo Schwarze]

Hi Constantine,

Constantine A. Murenin wrote on Tue, Mar 31, 2020 at 01:24:30PM -0500:

> What you say makes no sense

I wouldn't go that far; i think Aham has a point, even though it
certainly isn't a critical nor an urgent problem.

> for one simple reason: man.cgi (and cvsweb) moved out of www.openbsd.org
> ages ago, prior to there being any https on www.openbsd.org (correct me
> if I'm wrong here),

Not sure, maybe.  I don't feel like spending time on trying to find
out, it doesn't seem that important.

> so, there should not be any legitimate organic links that would be
> linking to https towards www.openbsd.org/cgi-bin/ in the first place;
> as such, there's little reason to change anything here.

Who knows what links people may have put into their web pages at
which times and for which reasons or what they type in their browser
address bars; those are not very pressing questions either.

The reason the redirection wasn't changed yet to avoid redirecting
incoming HTTPs connections to HTTP URIs elsewhere merely is that
the people having the necessary access to the www.openbsd.org server
are busy and apparently don't consider it a priority to improve
this particular detail.

While i do maintain man.openbsd.org, i don't have access to
www.openbsd.org, and i'm not sure i even want such access.

Yours,
  Ingo

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Constantine A. Murenin]

What you say makes no sense for one simple reason: man.cgi (and cvsweb)
moved out of www.openbsd.org ages ago, prior to there being any https on
www.openbsd.org (correct me if I'm wrong here), so, there should not be any
legitimate organic links that would be linking to https towards
www.openbsd.org/cgi-bin/ in the first place; as such, there's little reason
to change anything here.

C.

On Tue, 31 Mar 2020 at 08:00, Aham Brahmasmi  wrote:

> Namaste misc,
>
> Apologies for the reincarnation of this mail trail.
>
> > Sent: Tuesday, February 25, 2020 at 10:40 PM
> > From: "Constantine A. Murenin" 
> > To: "Vincenzo Nicosia" 
> > Cc: "Stuart Henderson" , "misc@openbsd.org" <
> misc@openbsd.org>
> > Subject: Re: openbsd.org - certain https URLs downgraded to http in
> redirection
> >
> > On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia 
> wrote:
> >
> > > On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote:
> > >
> > > [cut]
> > >
> > > > > Want https? great. use it.  There are times when it's handy to NOT
> > > > > be obsessed with https (i.e., clock is hosed on your computer).
> > > > >
> > > > > So ... unless some developer I really respect (which is just about
> > > > > all of them1) tells me to change this, I'm not planning on
> > > > > changing the behavior of the machines.
> > > >
> > > > I did object to http->https redirects in the past, but now the web is
> > > > unusable without working https anyway and the "INSECURE openbsd.org"
> > > > shown on some browsers *is* a bit of an eyesore ...
> > > >
> > >
> > > IMHO, the fact that corporates (Google) want to dictate what is secure
> > > and what is not, is not sufficient to force everybody on https, at all
> > > times. I personally don't give a toss of what Chrome thinks of a
> > > website and its security (maybe because I have never used Chrome or
> > > because I quit google searches more than 10 years ago...).
> > >
> > > There are many cases where the overhead introduced by https is really
> > > not worth the extra bit of confidentiality you get. And we are talking
> > > here of manpages (that are installed in your system anyway) and of
> > > system sources (that are available for download at any time, even from
> > > an HTTPS mirror)...
> > >
> > > Sorry for the rant, but if I type "http://bring.me.there; I don't want
> > > to find myself at "https://we.brought.you.somewhere.else;. I am not a
> > > chimp. I know what I type in my URL box. I know what I expect. And I
> > > want to be able to serve content via HTTP/1.0 if I need so.
> > >
> >
> > Exactly.
> >
> > Folks often forget, or are blissfully unaware, that Google Search itself
> > still does work over both HTTP (without the S) as well as over the legacy
> > TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
> > advice given by the Google Chrome and Mozilla teams to suppress the
> > minorities from being able to access the websites is hypocritical, to say
> > the least.  /Do as I say, not as I do./
> >
> > The HTTP and TLSv1.0 traffic is mostly bots, some folks say?  Surprise —
> > many bots are still controlled by good people, used to do various useful
> > things, so, you're still blocking actual people from a minority class
> from
> > having access to your website.  Not to mention the older phones and
> tablets
> > with hundreds of megabytes of RAM and gigabytes of storage space that
> were
> > abandoned by their creators and don't support TLSv1.2 and/or all the
> newest
> > ciphers that are deemed to be the best practice today.  The sad part is
> > that the non-profits of today (e.g., Mozilla and Wikipedia) are
> effectively
> > brokering the planned obsolescence of all these devices on behalf of the
> > respective vendors.
> >
> > C.
> >
>
> Current situation:
>
> https://www.openbsd.org/cgi-bin/man.cgi* ->
> http://man.openbsd.org/cgi-bin/man.cgi*
> https://www.openbsd.org/cgi-bin/cvsweb ->
> http://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> http://www.openbsd.org/cgi-bin/man.cgi* ->
> http://man.openbsd.org/cgi-bin/man.cgi*
> http://www.openbsd.org/cgi-bin/cvsweb ->
> http://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> What volks here thought I was asking for:
>
> https://www.openbsd.org/cgi-bin/man.cgi* ->
> https://man.openbsd.org/cgi-bin/man.cgi*
> https://www.open

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Aham Brahmasmi]

Namaste misc,

Apologies for the reincarnation of this mail trail.

> Sent: Tuesday, February 25, 2020 at 10:40 PM
> From: "Constantine A. Murenin" 
> To: "Vincenzo Nicosia" 
> Cc: "Stuart Henderson" , "misc@openbsd.org" 
> 
> Subject: Re: openbsd.org - certain https URLs downgraded to http in 
> redirection
>
> On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia  wrote:
> 
> > On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote:
> >
> > [cut]
> >
> > > > Want https? great. use it.  There are times when it's handy to NOT
> > > > be obsessed with https (i.e., clock is hosed on your computer).
> > > >
> > > > So ... unless some developer I really respect (which is just about
> > > > all of them1) tells me to change this, I'm not planning on
> > > > changing the behavior of the machines.
> > >
> > > I did object to http->https redirects in the past, but now the web is
> > > unusable without working https anyway and the "INSECURE openbsd.org"
> > > shown on some browsers *is* a bit of an eyesore ...
> > >
> >
> > IMHO, the fact that corporates (Google) want to dictate what is secure
> > and what is not, is not sufficient to force everybody on https, at all
> > times. I personally don't give a toss of what Chrome thinks of a
> > website and its security (maybe because I have never used Chrome or
> > because I quit google searches more than 10 years ago...).
> >
> > There are many cases where the overhead introduced by https is really
> > not worth the extra bit of confidentiality you get. And we are talking
> > here of manpages (that are installed in your system anyway) and of
> > system sources (that are available for download at any time, even from
> > an HTTPS mirror)...
> >
> > Sorry for the rant, but if I type "http://bring.me.there; I don't want
> > to find myself at "https://we.brought.you.somewhere.else;. I am not a
> > chimp. I know what I type in my URL box. I know what I expect. And I
> > want to be able to serve content via HTTP/1.0 if I need so.
> >
> 
> Exactly.
> 
> Folks often forget, or are blissfully unaware, that Google Search itself
> still does work over both HTTP (without the S) as well as over the legacy
> TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
> advice given by the Google Chrome and Mozilla teams to suppress the
> minorities from being able to access the websites is hypocritical, to say
> the least.  /Do as I say, not as I do./
> 
> The HTTP and TLSv1.0 traffic is mostly bots, some folks say?  Surprise —
> many bots are still controlled by good people, used to do various useful
> things, so, you're still blocking actual people from a minority class from
> having access to your website.  Not to mention the older phones and tablets
> with hundreds of megabytes of RAM and gigabytes of storage space that were
> abandoned by their creators and don't support TLSv1.2 and/or all the newest
> ciphers that are deemed to be the best practice today.  The sad part is
> that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively
> brokering the planned obsolescence of all these devices on behalf of the
> respective vendors.
> 
> C.
> 

Current situation:

https://www.openbsd.org/cgi-bin/man.cgi* -> 
http://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> 
http://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> 
http://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> 
http://cvsweb.openbsd.org/cgi-bin/cvsweb

What volks here thought I was asking for:

https://www.openbsd.org/cgi-bin/man.cgi* -> 
https://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> 
https://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> 
https://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> 
https://cvsweb.openbsd.org/cgi-bin/cvsweb

What my actual request is:

https://www.openbsd.org/cgi-bin/man.cgi* -> 
https://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> 
https://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> 
http://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> 
http://cvsweb.openbsd.org/cgi-bin/cvsweb

In other words,

Current configuration
https -> http
http -> http

Not Intended configuration
https -> https
http -> https

Intended configuration
https -> https
http -> http

Currently, requests arriving on https as well as http ports are
redirected to the ht

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Constantine A. Murenin]

On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia  wrote:

> On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote:
>
> [cut]
>
> > > Want https? great. use it.  There are times when it's handy to NOT
> > > be obsessed with https (i.e., clock is hosed on your computer).
> > >
> > > So ... unless some developer I really respect (which is just about
> > > all of them1) tells me to change this, I'm not planning on
> > > changing the behavior of the machines.
> >
> > I did object to http->https redirects in the past, but now the web is
> > unusable without working https anyway and the "INSECURE openbsd.org"
> > shown on some browsers *is* a bit of an eyesore ...
> >
>
> IMHO, the fact that corporates (Google) want to dictate what is secure
> and what is not, is not sufficient to force everybody on https, at all
> times. I personally don't give a toss of what Chrome thinks of a
> website and its security (maybe because I have never used Chrome or
> because I quit google searches more than 10 years ago...).
>
> There are many cases where the overhead introduced by https is really
> not worth the extra bit of confidentiality you get. And we are talking
> here of manpages (that are installed in your system anyway) and of
> system sources (that are available for download at any time, even from
> an HTTPS mirror)...
>
> Sorry for the rant, but if I type "http://bring.me.there; I don't want
> to find myself at "https://we.brought.you.somewhere.else;. I am not a
> chimp. I know what I type in my URL box. I know what I expect. And I
> want to be able to serve content via HTTP/1.0 if I need so.
>

Exactly.

Folks often forget, or are blissfully unaware, that Google Search itself
still does work over both HTTP (without the S) as well as over the legacy
TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
advice given by the Google Chrome and Mozilla teams to suppress the
minorities from being able to access the websites is hypocritical, to say
the least.  /Do as I say, not as I do./

The HTTP and TLSv1.0 traffic is mostly bots, some folks say?  Surprise —
many bots are still controlled by good people, used to do various useful
things, so, you're still blocking actual people from a minority class from
having access to your website.  Not to mention the older phones and tablets
with hundreds of megabytes of RAM and gigabytes of storage space that were
abandoned by their creators and don't support TLSv1.2 and/or all the newest
ciphers that are deemed to be the best practice today.  The sad part is
that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively
brokering the planned obsolescence of all these devices on behalf of the
respective vendors.

C.

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Greg Hewgill]

February 25, 2020 11:32 PM, "Vincenzo Nicosia"  wrote:

> There are many cases where the overhead introduced by https is really
> not worth the extra bit of confidentiality you get.

It's not just about confidentiality - https also ensures integrity, and
prevents nefarious network operators (ie. your ISP) from altering your
requested web pages to insert ads or other malware. This happens more often
than you might expect.

Fortunately, the wide adoption of https has made these sorts of evil content
alteration less appealing.

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Vincenzo Nicosia]

On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote:

[cut]

> > Want https? great. use it.  There are times when it's handy to NOT
> > be obsessed with https (i.e., clock is hosed on your computer).  
> >
> > So ... unless some developer I really respect (which is just about
> > all of them1) tells me to change this, I'm not planning on
> > changing the behavior of the machines.
> 
> I did object to http->https redirects in the past, but now the web is
> unusable without working https anyway and the "INSECURE openbsd.org"
> shown on some browsers *is* a bit of an eyesore ...
> 

IMHO, the fact that corporates (Google) want to dictate what is secure
and what is not, is not sufficient to force everybody on https, at all
times. I personally don't give a toss of what Chrome thinks of a
website and its security (maybe because I have never used Chrome or
because I quit google searches more than 10 years ago...).

There are many cases where the overhead introduced by https is really
not worth the extra bit of confidentiality you get. And we are talking
here of manpages (that are installed in your system anyway) and of
system sources (that are available for download at any time, even from
an HTTPS mirror)...

Sorry for the rant, but if I type "http://bring.me.there; I don't want
to find myself at "https://we.brought.you.somewhere.else;. I am not a
chimp. I know what I type in my URL box. I know what I expect. And I
want to be able to serve content via HTTP/1.0 if I need so. 

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Stuart Henderson]

On 2020-02-25, Nick Holland  wrote:
> Sorry, took a look at this a while back when I didn't have time to
> fully work through it...and then forgot about it. ;-/
>
> On 2020-02-12 04:34, Aham Brahmasmi wrote:
>> Namaste misc,
>> 
>> Overview:
>> Certain https URLs on openbsd.org get downgraded to http in redirection.
>> 
>> Steps:
>> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
>> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>>
>> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
>
> I Google for "openbsd man", I end up with a link to 
> httpS://man.openbsd.org.
> and it takes me to man.openbsd.org via httpS.
>
> I duckduckgo.com for "openbsd man", same thing.
> (yay.  I just used a website as a verb.)
>
> Google does seem to show a link for httpS://cvsweb.openbsd.org, but
> tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not
> and does what you would expect and hope.

Google has https://www.openbsd.org/cgi-bin/cvsweb/, not
https://cvsweb.openbsd.org.

> Looking at the page source for the google return, it DOES appear to
> be sending the browser to http://, so everything is working as
> designed.  Is there a problem?  Yes -- google is aware https:// 
> those sites exists, but doesn't actually send users to them.
> 
> Apparently your favorite search engine does as well.  Perhaps it
> isn't as privacy friendly as you are thinking it is.  The problem
> isn't with the websites, it's with where the search engine is 
> sending the user.

The problem *is* with the website (specifically www.openbsd.org, not
man/cvsweb). It redirects the old cgi-bin URLs to http versions whatever
protocol the request came in on.

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/cvsweb/
Trying 129.128.5.194...
Requesting https://www.openbsd.org/cgi-bin/cvsweb/
Redirected to http://cvsweb.openbsd.org/cgi-bin/cvsweb/
Trying 128.100.17.243...
Requesting http://cvsweb.openbsd.org/cgi-bin/cvsweb/
2607 bytes received in 0.01 seconds (265.55 KB/s)

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/man.cgi
Trying 129.128.5.194...
Requesting https://www.openbsd.org/cgi-bin/man.cgi
Redirected to http://man.openbsd.org/cgi-bin/man.cgi
Trying 128.100.17.244...
Requesting http://man.openbsd.org/cgi-bin/man.cgi
5590 bytes received in 0.00 seconds (1.55 MB/s)

> You want it changed so that when someone clicks on a link, they go
> somewhere OTHER than where that link sends them?  I understand your
> goal (everything should be HTTPS!!), but I don't really like the
> idea of "click here, go elsewhere".
>
> Want https? great. use it.  There are times when it's handy to NOT
> be obsessed with https (i.e., clock is hosed on your computer).  
>
> So ... unless some developer I really respect (which is just about
> all of them1) tells me to change this, I'm not planning on
> changing the behavior of the machines.

I did object to http->https redirects in the past, but now the web is
unusable without working https anyway and the "INSECURE openbsd.org"
shown on some browsers *is* a bit of an eyesore ...

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Nick Holland]

Sorry, took a look at this a while back when I didn't have time to
fully work through it...and then forgot about it. ;-/

On 2020-02-12 04:34, Aham Brahmasmi wrote:
> Namaste misc,
> 
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
> 
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.

I Google for "openbsd man", I end up with a link to 
httpS://man.openbsd.org.
and it takes me to man.openbsd.org via httpS.

I duckduckgo.com for "openbsd man", same thing.
(yay.  I just used a website as a verb.)

Google does seem to show a link for httpS://cvsweb.openbsd.org, but
tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not
and does what you would expect and hope.

Looking at the page source for the google return, it DOES appear to
be sending the browser to http://, so everything is working as
designed.  Is there a problem?  Yes -- google is aware https:// 
those sites exists, but doesn't actually send users to them.
Apparently your favorite search engine does as well.  Perhaps it
isn't as privacy friendly as you are thinking it is.  The problem
isn't with the websites, it's with where the search engine is 
sending the user.

You want it changed so that when someone clicks on a link, they go
somewhere OTHER than where that link sends them?  I understand your
goal (everything should be HTTPS!!), but I don't really like the
idea of "click here, go elsewhere".

Want https? great. use it.  There are times when it's handy to NOT
be obsessed with https (i.e., clock is hosed on your computer).  

So ... unless some developer I really respect (which is just about
all of them1) tells me to change this, I'm not planning on
changing the behavior of the machines.

Nick.

Re: openbsd.org - certain https URLs downgraded to http in redirection

[Sebastian Benoit]

Aham Brahmasmi(aham.brahma...@gmx.com) on 2020.02.12 10:34:55 +0100:
> Namaste misc,
> 
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
> 
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
> 
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
> 
> Probable Solution:
> Would we benefit from changing our httpd.conf to
> ...
> listen on * port https
> ...
> location "/cgi-bin/man.cgi*" {
> block return 301 "https://man...
> ...
> 
> ...
> 
> This is similar to the recommended httpd.conf for OpenBSD mirrors [2].
> 
> Dhanyavaad,
> ab
> [1] - These URLs are among the top search results for the search terms
> "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
> non-evil web search engine.
> [2] - 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup

Thanks for noticing this.

These two services are run by volunteers, and it's up to them how to provide
the service.

If you want to keep it secret what manpage you are looking at or what src
file you are reading, OpenBSD comes with fine command line tools that dont
need network access after initial installation.

Best regards,
B.

openbsd.org - certain https URLs downgraded to http in redirection

[Aham Brahmasmi]

Namaste misc,

Overview:
Certain https URLs on openbsd.org get downgraded to http in redirection.

Steps:
When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.

Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
http://cvsweb.openbsd.org/cgi-bin/cvsweb/.

Probable Solution:
Would we benefit from changing our httpd.conf to
...
listen on * port https
...
location "/cgi-bin/man.cgi*" {
block return 301 "https://man...
...

...

This is similar to the recommended httpd.conf for OpenBSD mirrors [2].

Dhanyavaad,
ab
[1] - These URLs are among the top search results for the search terms
"openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
non-evil web search engine.
[2] - 
https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup
-|-|-|-|-|-|-|--