Re: openbsd.org - certain https URLs downgraded to http in redirection
Hi Constantine, Constantine A. Murenin wrote on Tue, Mar 31, 2020 at 01:24:30PM -0500: > What you say makes no sense I wouldn't go that far; i think Aham has a point, even though it certainly isn't a critical nor an urgent problem. > for one simple reason: man.cgi (and cvsweb) moved out of www.openbsd.org > ages ago, prior to there being any https on www.openbsd.org (correct me > if I'm wrong here), Not sure, maybe. I don't feel like spending time on trying to find out, it doesn't seem that important. > so, there should not be any legitimate organic links that would be > linking to https towards www.openbsd.org/cgi-bin/ in the first place; > as such, there's little reason to change anything here. Who knows what links people may have put into their web pages at which times and for which reasons or what they type in their browser address bars; those are not very pressing questions either. The reason the redirection wasn't changed yet to avoid redirecting incoming HTTPs connections to HTTP URIs elsewhere merely is that the people having the necessary access to the www.openbsd.org server are busy and apparently don't consider it a priority to improve this particular detail. While i do maintain man.openbsd.org, i don't have access to www.openbsd.org, and i'm not sure i even want such access. Yours, Ingo
Re: openbsd.org - certain https URLs downgraded to http in redirection
What you say makes no sense for one simple reason: man.cgi (and cvsweb) moved out of www.openbsd.org ages ago, prior to there being any https on www.openbsd.org (correct me if I'm wrong here), so, there should not be any legitimate organic links that would be linking to https towards www.openbsd.org/cgi-bin/ in the first place; as such, there's little reason to change anything here. C. On Tue, 31 Mar 2020 at 08:00, Aham Brahmasmi wrote: > Namaste misc, > > Apologies for the reincarnation of this mail trail. > > > Sent: Tuesday, February 25, 2020 at 10:40 PM > > From: "Constantine A. Murenin" > > To: "Vincenzo Nicosia" > > Cc: "Stuart Henderson" , "misc@openbsd.org" < > misc@openbsd.org> > > Subject: Re: openbsd.org - certain https URLs downgraded to http in > redirection > > > > On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia > wrote: > > > > > On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote: > > > > > > [cut] > > > > > > > > Want https? great. use it. There are times when it's handy to NOT > > > > > be obsessed with https (i.e., clock is hosed on your computer). > > > > > > > > > > So ... unless some developer I really respect (which is just about > > > > > all of them1) tells me to change this, I'm not planning on > > > > > changing the behavior of the machines. > > > > > > > > I did object to http->https redirects in the past, but now the web is > > > > unusable without working https anyway and the "INSECURE openbsd.org" > > > > shown on some browsers *is* a bit of an eyesore ... > > > > > > > > > > IMHO, the fact that corporates (Google) want to dictate what is secure > > > and what is not, is not sufficient to force everybody on https, at all > > > times. I personally don't give a toss of what Chrome thinks of a > > > website and its security (maybe because I have never used Chrome or > > > because I quit google searches more than 10 years ago...). > > > > > > There are many cases where the overhead introduced by https is really > > > not worth the extra bit of confidentiality you get. And we are talking > > > here of manpages (that are installed in your system anyway) and of > > > system sources (that are available for download at any time, even from > > > an HTTPS mirror)... > > > > > > Sorry for the rant, but if I type "http://bring.me.there; I don't want > > > to find myself at "https://we.brought.you.somewhere.else;. I am not a > > > chimp. I know what I type in my URL box. I know what I expect. And I > > > want to be able to serve content via HTTP/1.0 if I need so. > > > > > > > Exactly. > > > > Folks often forget, or are blissfully unaware, that Google Search itself > > still does work over both HTTP (without the S) as well as over the legacy > > TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster > > advice given by the Google Chrome and Mozilla teams to suppress the > > minorities from being able to access the websites is hypocritical, to say > > the least. /Do as I say, not as I do./ > > > > The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise — > > many bots are still controlled by good people, used to do various useful > > things, so, you're still blocking actual people from a minority class > from > > having access to your website. Not to mention the older phones and > tablets > > with hundreds of megabytes of RAM and gigabytes of storage space that > were > > abandoned by their creators and don't support TLSv1.2 and/or all the > newest > > ciphers that are deemed to be the best practice today. The sad part is > > that the non-profits of today (e.g., Mozilla and Wikipedia) are > effectively > > brokering the planned obsolescence of all these devices on behalf of the > > respective vendors. > > > > C. > > > > Current situation: > > https://www.openbsd.org/cgi-bin/man.cgi* -> > http://man.openbsd.org/cgi-bin/man.cgi* > https://www.openbsd.org/cgi-bin/cvsweb -> > http://cvsweb.openbsd.org/cgi-bin/cvsweb > > http://www.openbsd.org/cgi-bin/man.cgi* -> > http://man.openbsd.org/cgi-bin/man.cgi* > http://www.openbsd.org/cgi-bin/cvsweb -> > http://cvsweb.openbsd.org/cgi-bin/cvsweb > > What volks here thought I was asking for: > > https://www.openbsd.org/cgi-bin/man.cgi* -> > https://man.openbsd.org/cgi-bin/man.cgi* > https://www.open
Re: openbsd.org - certain https URLs downgraded to http in redirection
Namaste misc, Apologies for the reincarnation of this mail trail. > Sent: Tuesday, February 25, 2020 at 10:40 PM > From: "Constantine A. Murenin" > To: "Vincenzo Nicosia" > Cc: "Stuart Henderson" , "misc@openbsd.org" > > Subject: Re: openbsd.org - certain https URLs downgraded to http in > redirection > > On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia wrote: > > > On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote: > > > > [cut] > > > > > > Want https? great. use it. There are times when it's handy to NOT > > > > be obsessed with https (i.e., clock is hosed on your computer). > > > > > > > > So ... unless some developer I really respect (which is just about > > > > all of them1) tells me to change this, I'm not planning on > > > > changing the behavior of the machines. > > > > > > I did object to http->https redirects in the past, but now the web is > > > unusable without working https anyway and the "INSECURE openbsd.org" > > > shown on some browsers *is* a bit of an eyesore ... > > > > > > > IMHO, the fact that corporates (Google) want to dictate what is secure > > and what is not, is not sufficient to force everybody on https, at all > > times. I personally don't give a toss of what Chrome thinks of a > > website and its security (maybe because I have never used Chrome or > > because I quit google searches more than 10 years ago...). > > > > There are many cases where the overhead introduced by https is really > > not worth the extra bit of confidentiality you get. And we are talking > > here of manpages (that are installed in your system anyway) and of > > system sources (that are available for download at any time, even from > > an HTTPS mirror)... > > > > Sorry for the rant, but if I type "http://bring.me.there; I don't want > > to find myself at "https://we.brought.you.somewhere.else;. I am not a > > chimp. I know what I type in my URL box. I know what I expect. And I > > want to be able to serve content via HTTP/1.0 if I need so. > > > > Exactly. > > Folks often forget, or are blissfully unaware, that Google Search itself > still does work over both HTTP (without the S) as well as over the legacy > TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster > advice given by the Google Chrome and Mozilla teams to suppress the > minorities from being able to access the websites is hypocritical, to say > the least. /Do as I say, not as I do./ > > The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise — > many bots are still controlled by good people, used to do various useful > things, so, you're still blocking actual people from a minority class from > having access to your website. Not to mention the older phones and tablets > with hundreds of megabytes of RAM and gigabytes of storage space that were > abandoned by their creators and don't support TLSv1.2 and/or all the newest > ciphers that are deemed to be the best practice today. The sad part is > that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively > brokering the planned obsolescence of all these devices on behalf of the > respective vendors. > > C. > Current situation: https://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb What volks here thought I was asking for: https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb What my actual request is: https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi* https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi* http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb In other words, Current configuration https -> http http -> http Not Intended configuration https -> https http -> https Intended configuration https -> https http -> http Currently, requests arriving on https as well as http ports are redirected to the ht
Re: openbsd.org - certain https URLs downgraded to http in redirection
On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia wrote: > On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote: > > [cut] > > > > Want https? great. use it. There are times when it's handy to NOT > > > be obsessed with https (i.e., clock is hosed on your computer). > > > > > > So ... unless some developer I really respect (which is just about > > > all of them1) tells me to change this, I'm not planning on > > > changing the behavior of the machines. > > > > I did object to http->https redirects in the past, but now the web is > > unusable without working https anyway and the "INSECURE openbsd.org" > > shown on some browsers *is* a bit of an eyesore ... > > > > IMHO, the fact that corporates (Google) want to dictate what is secure > and what is not, is not sufficient to force everybody on https, at all > times. I personally don't give a toss of what Chrome thinks of a > website and its security (maybe because I have never used Chrome or > because I quit google searches more than 10 years ago...). > > There are many cases where the overhead introduced by https is really > not worth the extra bit of confidentiality you get. And we are talking > here of manpages (that are installed in your system anyway) and of > system sources (that are available for download at any time, even from > an HTTPS mirror)... > > Sorry for the rant, but if I type "http://bring.me.there; I don't want > to find myself at "https://we.brought.you.somewhere.else;. I am not a > chimp. I know what I type in my URL box. I know what I expect. And I > want to be able to serve content via HTTP/1.0 if I need so. > Exactly. Folks often forget, or are blissfully unaware, that Google Search itself still does work over both HTTP (without the S) as well as over the legacy TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster advice given by the Google Chrome and Mozilla teams to suppress the minorities from being able to access the websites is hypocritical, to say the least. /Do as I say, not as I do./ The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise — many bots are still controlled by good people, used to do various useful things, so, you're still blocking actual people from a minority class from having access to your website. Not to mention the older phones and tablets with hundreds of megabytes of RAM and gigabytes of storage space that were abandoned by their creators and don't support TLSv1.2 and/or all the newest ciphers that are deemed to be the best practice today. The sad part is that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively brokering the planned obsolescence of all these devices on behalf of the respective vendors. C.
Re: openbsd.org - certain https URLs downgraded to http in redirection
February 25, 2020 11:32 PM, "Vincenzo Nicosia" wrote: > There are many cases where the overhead introduced by https is really > not worth the extra bit of confidentiality you get. It's not just about confidentiality - https also ensures integrity, and prevents nefarious network operators (ie. your ISP) from altering your requested web pages to insert ads or other malware. This happens more often than you might expect. Fortunately, the wide adoption of https has made these sorts of evil content alteration less appealing.
Re: openbsd.org - certain https URLs downgraded to http in redirection
On Tue, Feb 25, 2020 at 07:57:24AM -, Stuart Henderson wrote: [cut] > > Want https? great. use it. There are times when it's handy to NOT > > be obsessed with https (i.e., clock is hosed on your computer). > > > > So ... unless some developer I really respect (which is just about > > all of them1) tells me to change this, I'm not planning on > > changing the behavior of the machines. > > I did object to http->https redirects in the past, but now the web is > unusable without working https anyway and the "INSECURE openbsd.org" > shown on some browsers *is* a bit of an eyesore ... > IMHO, the fact that corporates (Google) want to dictate what is secure and what is not, is not sufficient to force everybody on https, at all times. I personally don't give a toss of what Chrome thinks of a website and its security (maybe because I have never used Chrome or because I quit google searches more than 10 years ago...). There are many cases where the overhead introduced by https is really not worth the extra bit of confidentiality you get. And we are talking here of manpages (that are installed in your system anyway) and of system sources (that are available for download at any time, even from an HTTPS mirror)... Sorry for the rant, but if I type "http://bring.me.there; I don't want to find myself at "https://we.brought.you.somewhere.else;. I am not a chimp. I know what I type in my URL box. I know what I expect. And I want to be able to serve content via HTTP/1.0 if I need so.
Re: openbsd.org - certain https URLs downgraded to http in redirection
On 2020-02-25, Nick Holland wrote: > Sorry, took a look at this a while back when I didn't have time to > fully work through it...and then forgot about it. ;-/ > > On 2020-02-12 04:34, Aham Brahmasmi wrote: >> Namaste misc, >> >> Overview: >> Certain https URLs on openbsd.org get downgraded to http in redirection. >> >> Steps: >> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a >> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. >> >> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on >> http://cvsweb.openbsd.org/cgi-bin/cvsweb/. > > I Google for "openbsd man", I end up with a link to > httpS://man.openbsd.org. > and it takes me to man.openbsd.org via httpS. > > I duckduckgo.com for "openbsd man", same thing. > (yay. I just used a website as a verb.) > > Google does seem to show a link for httpS://cvsweb.openbsd.org, but > tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not > and does what you would expect and hope. Google has https://www.openbsd.org/cgi-bin/cvsweb/, not https://cvsweb.openbsd.org. > Looking at the page source for the google return, it DOES appear to > be sending the browser to http://, so everything is working as > designed. Is there a problem? Yes -- google is aware https:// > those sites exists, but doesn't actually send users to them. > > Apparently your favorite search engine does as well. Perhaps it > isn't as privacy friendly as you are thinking it is. The problem > isn't with the websites, it's with where the search engine is > sending the user. The problem *is* with the website (specifically www.openbsd.org, not man/cvsweb). It redirects the old cgi-bin URLs to http versions whatever protocol the request came in on. $ ftp -o/dev/null https://www.openbsd.org/cgi-bin/cvsweb/ Trying 129.128.5.194... Requesting https://www.openbsd.org/cgi-bin/cvsweb/ Redirected to http://cvsweb.openbsd.org/cgi-bin/cvsweb/ Trying 128.100.17.243... Requesting http://cvsweb.openbsd.org/cgi-bin/cvsweb/ 2607 bytes received in 0.01 seconds (265.55 KB/s) $ ftp -o/dev/null https://www.openbsd.org/cgi-bin/man.cgi Trying 129.128.5.194... Requesting https://www.openbsd.org/cgi-bin/man.cgi Redirected to http://man.openbsd.org/cgi-bin/man.cgi Trying 128.100.17.244... Requesting http://man.openbsd.org/cgi-bin/man.cgi 5590 bytes received in 0.00 seconds (1.55 MB/s) > You want it changed so that when someone clicks on a link, they go > somewhere OTHER than where that link sends them? I understand your > goal (everything should be HTTPS!!), but I don't really like the > idea of "click here, go elsewhere". > > Want https? great. use it. There are times when it's handy to NOT > be obsessed with https (i.e., clock is hosed on your computer). > > So ... unless some developer I really respect (which is just about > all of them1) tells me to change this, I'm not planning on > changing the behavior of the machines. I did object to http->https redirects in the past, but now the web is unusable without working https anyway and the "INSECURE openbsd.org" shown on some browsers *is* a bit of an eyesore ...
Re: openbsd.org - certain https URLs downgraded to http in redirection
Sorry, took a look at this a while back when I didn't have time to fully work through it...and then forgot about it. ;-/ On 2020-02-12 04:34, Aham Brahmasmi wrote: > Namaste misc, > > Overview: > Certain https URLs on openbsd.org get downgraded to http in redirection. > > Steps: > When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a > browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. > > Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on > http://cvsweb.openbsd.org/cgi-bin/cvsweb/. I Google for "openbsd man", I end up with a link to httpS://man.openbsd.org. and it takes me to man.openbsd.org via httpS. I duckduckgo.com for "openbsd man", same thing. (yay. I just used a website as a verb.) Google does seem to show a link for httpS://cvsweb.openbsd.org, but tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not and does what you would expect and hope. Looking at the page source for the google return, it DOES appear to be sending the browser to http://, so everything is working as designed. Is there a problem? Yes -- google is aware https:// those sites exists, but doesn't actually send users to them. Apparently your favorite search engine does as well. Perhaps it isn't as privacy friendly as you are thinking it is. The problem isn't with the websites, it's with where the search engine is sending the user. You want it changed so that when someone clicks on a link, they go somewhere OTHER than where that link sends them? I understand your goal (everything should be HTTPS!!), but I don't really like the idea of "click here, go elsewhere". Want https? great. use it. There are times when it's handy to NOT be obsessed with https (i.e., clock is hosed on your computer). So ... unless some developer I really respect (which is just about all of them1) tells me to change this, I'm not planning on changing the behavior of the machines. Nick.
Re: openbsd.org - certain https URLs downgraded to http in redirection
Aham Brahmasmi(aham.brahma...@gmx.com) on 2020.02.12 10:34:55 +0100: > Namaste misc, > > Overview: > Certain https URLs on openbsd.org get downgraded to http in redirection. > > Steps: > When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a > browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. > > Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on > http://cvsweb.openbsd.org/cgi-bin/cvsweb/. > > Probable Solution: > Would we benefit from changing our httpd.conf to > ... > listen on * port https > ... > location "/cgi-bin/man.cgi*" { > block return 301 "https://man... > ... > > ... > > This is similar to the recommended httpd.conf for OpenBSD mirrors [2]. > > Dhanyavaad, > ab > [1] - These URLs are among the top search results for the search terms > "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly > non-evil web search engine. > [2] - > https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup Thanks for noticing this. These two services are run by volunteers, and it's up to them how to provide the service. If you want to keep it secret what manpage you are looking at or what src file you are reading, OpenBSD comes with fine command line tools that dont need network access after initial installation. Best regards, B.
openbsd.org - certain https URLs downgraded to http in redirection
Namaste misc, Overview: Certain https URLs on openbsd.org get downgraded to http in redirection. Steps: When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on http://cvsweb.openbsd.org/cgi-bin/cvsweb/. Probable Solution: Would we benefit from changing our httpd.conf to ... listen on * port https ... location "/cgi-bin/man.cgi*" { block return 301 "https://man... ... ... This is similar to the recommended httpd.conf for OpenBSD mirrors [2]. Dhanyavaad, ab [1] - These URLs are among the top search results for the search terms "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly non-evil web search engine. [2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup -|-|-|-|-|-|-|--