Re: openbsd.org - certain https URLs downgraded to http in redirection

Namaste misc,

Apologies for the reincarnation of this mail trail.

> Sent: Tuesday, February 25, 2020 at 10:40 PM
> From: "Constantine A. Murenin" <mureninc@gmail.com>
> To: "Vincenzo Nicosia" <katolaz@freaknet.org>
> Cc: "Stuart Henderson" <stu@spacehopper.org>, "misc@openbsd.org" <misc@openbsd.org>
> Subject: Re: openbsd.org - certain https URLs downgraded to http in redirection
>
> On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia <katolaz@freaknet.org> wrote:
>
> > On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote:
> >
> > [cut]
> >
> > > > Want https? great. use it. There are times when it's handy to NOT
> > > > be obsessed with https (i.e., clock is hosed on your computer).
> > > >
> > > > So ... unless some developer I really respect (which is just about
> > > > all of them1) tells me to change this, I'm not planning on
> > > > changing the behavior of the machines.
> > >
> > > I did object to http->https redirects in the past, but now the web is
> > > unusable without working https anyway and the "INSECURE openbsd.org"
> > > shown on some browsers *is* a bit of an eyesore ...
> > >
> >
> > IMHO, the fact that corporates (Google) want to dictate what is secure
> > and what is not, is not sufficient to force everybody on https, at all
> > times. I personally don't give a toss of what Chrome thinks of a
> > website and its security (maybe because I have never used Chrome or
> > because I quit google searches more than 10 years ago...).
> >
> > There are many cases where the overhead introduced by https is really
> > not worth the extra bit of confidentiality you get. And we are talking
> > here of manpages (that are installed in your system anyway) and of
> > system sources (that are available for download at any time, even from
> > an HTTPS mirror)...
> >
> > Sorry for the rant, but if I type "http://bring.me.there" I don't want
> > to find myself at "https://we.brought.you.somewhere.else". I am not a
> > chimp. I know what I type in my URL box. I know what I expect. And I
> > want to be able to serve content via HTTP/1.0 if I need so.
> >
>
> Exactly.
>
> Folks often forget, or are blissfully unaware, that Google Search itself
> still does work over both HTTP (without the S) as well as over the legacy
> TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
> advice given by the Google Chrome and Mozilla teams to suppress the
> minorities from being able to access the websites is hypocritical, to say
> the least. /Do as I say, not as I do./
>
> The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise —
> many bots are still controlled by good people, used to do various useful
> things, so, you're still blocking actual people from a minority class from
> having access to your website. Not to mention the older phones and tablets
> with hundreds of megabytes of RAM and gigabytes of storage space that were
> abandoned by their creators and don't support TLSv1.2 and/or all the newest
> ciphers that are deemed to be the best practice today. The sad part is
> that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively
> brokering the planned obsolescence of all these devices on behalf of the
> respective vendors.
>
> C.
>

Current situation:

https://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb

What volks here thought I was asking for:

https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb

What my actual request is:

https://www.openbsd.org/cgi-bin/man.cgi* -> https://man.openbsd.org/cgi-bin/man.cgi*
https://www.openbsd.org/cgi-bin/cvsweb -> https://cvsweb.openbsd.org/cgi-bin/cvsweb

http://www.openbsd.org/cgi-bin/man.cgi* -> http://man.openbsd.org/cgi-bin/man.cgi*
http://www.openbsd.org/cgi-bin/cvsweb -> http://cvsweb.openbsd.org/cgi-bin/cvsweb

In other words,

Current configuration
https -> http
http -> http

Not Intended configuration
https -> https
http -> https

Intended configuration
https -> https
http -> http

Currently, requests arriving on https as well as http ports are
redirected to the http port. This effectively downgrades a user-agent
from https to http, which I think may not be desirable.

In the intended configuration, if a request arrives on the https port,
it should be redirected to the https port, and not to the http port. If
a request arrives on the http port, it should continue to be redirected
to the http port.

This nuance is conveyed from the following line in the configuration in
my request:
...
listen on * port https
...

In terms of httpd.conf configurations:

Probable Current Configuration:

server "openbsd.org" {
...
listen on * port http
listen on * tls port https
...
location "/cgi-bin/man.cgi*" {
block return 301 "http://man...
...
<similarly for cvsweb et al>
...

Intended Future Configuration:

server "openbsd.org" {
...
listen on * port http
...
location "/cgi-bin/man.cgi*" {
block return 301 "http://man...
...
<similarly for cvsweb et al>
...

server "openbsd.org" {
...
listen on * tls port https
...
location "/cgi-bin/man.cgi*" {
block return 301 "https://man...
...
<similarly for cvsweb et al>
...

As elaborated above, this change intends to only affect requests which
originate as https. This change does not intend to affect requests which
originate as http.

So, I request you to please not redirect http to https. The idea was to
prevent https downgrade to http. The idea was not to enable http upgrade
to https.

Au contraire, I believe openbsd.org should remain fully functional on
http for eternity.

Looking back at my original mail, I think I could have been more clear
on what I was requesting. I can understand how this came across as the
request to upgrade http to https.

I struggle between terseness and verbosity. My bad.

Dhanyavaad,
ab
(P.S. - this mail is a near identical copy of my reply in an off-list
conversation that got dropped because gmx has some undiagnosable bounce
errors when delivering to individual inboxes.)
---------|---------|---------|---------|---------|---------|---------|--