Re: misc/56220: http://man.netbsd.org should redirect to https://man.netbsd.org

To: kim%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, jschauma%netmeister.org@localhost
Subject: Re: misc/56220: http://man.netbsd.org should redirect to https://man.netbsd.org
From: Kimmo Suominen <kim%netbsd.org@localhost>
Date: Tue, 1 Jun 2021 04:05:01 +0000 (UTC)

The following reply was made to PR misc/56220; it has been noted by GNATS.

From: Kimmo Suominen <kim%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: misc/56220: http://man.netbsd.org should redirect to
 https://man.netbsd.org
Date: Tue, 1 Jun 2021 07:03:40 +0300

 On Mon, May 31, 2021 at 10:50:02PM +0000, Jan Schaumann wrote:
 >  Do we believe there is a non-negligible number of users who access
 >  the site using a mechanism that can't speak https?

 Yes, that's what I've been told. However, it appears to be a set of
 users elusive enough that I was unable to find a specimen to test or
 discuss with. So I used the following logic:

 - Preserve access over http.

 - If the browser sends "Upgrade-Insecure-Requests: 1" over http,
   redirect it to https.

 - If the browser checks the HSTS preload list, it likely also sends
   "Upgrade-Insecure-Requests: 1" over http. Thus preload is unlikely to
   break anyone's http access.

 Current versions of Chrome, Firefox, and Safari all now get redirected
 to https without displaying a "Not Secure" warning.  Yet I can still
 use "lynx man.netbsd.org" to browse the site over http without being
 redirected to https.

 Most requests made to man.netbsd.org, by the way, are from various
 spiders using a mix of http and https requests. They outnumber humans by
 a huge margin in their number of visits to the site. From the relatively
 brief period of log watching, it would appear that they do not send
 "Upgrade-Insecure-Requests: 1" over http, as they are not getting the
 redirect response.

 Finally, to reiterate your request: the problem you reported was that
 modern browsers display a "Not Secure" notification when visiting the
 site.  I believe this has now been addressed, so that it no longer
 happens.

 If it has not been fixed, it would be helpful to know how to reproduce
 the problem.

 If there are additional issues, please open a new PR to report them.
 Please consider opening multiple PRs if the issues are not closely
 related, as it will make it easier to address each issue individually.

 Thanks,
 + Kimmo

Prev by Date: Re: misc/56220: http://man.netbsd.org should redirect to https://man.netbsd.org
Next by Date: install/56227: Install fails with newfs: /dev/rdk1: open for write: Read-only file system
Previous by Thread: Re: misc/56220: http://man.netbsd.org should redirect to https://man.netbsd.org
Next by Thread: Re: misc/56220: http://man.netbsd.org should redirect to https://man.netbsd.org
Indexes:

Home | Main Index | Thread Index | Old Index