Re: openbsd.org - certain https URLs downgraded to http in redirection

What you say makes no sense for one simple reason: man.cgi (and cvsweb)
moved out of www.openbsd.org ages ago, prior to there being any https on
www.openbsd.org (correct me if I'm wrong here), so, there should not be any
legitimate organic links that would be linking to https towards
www.openbsd.org/cgi-bin/ in the first place; as such, there's little reason
to change anything here.

C.

On Tue, 31 Mar 2020 at 08:00, Aham Brahmasmi <aham.brahmasmi@gmx.com> wrote:

> Namaste misc,
>
> Apologies for the reincarnation of this mail trail.
>
> > Sent: Tuesday, February 25, 2020 at 10:40 PM
> > From: "Constantine A. Murenin" <mureninc@gmail.com>
> > To: "Vincenzo Nicosia" <katolaz@freaknet.org>
> > Cc: "Stuart Henderson" <stu@spacehopper.org>, "misc@openbsd.org" <
> misc@openbsd.org>
> > Subject: Re: openbsd.org - certain https URLs downgraded to http in
> redirection
> >
> > On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia <katolaz@freaknet.org>
> wrote:
> >
> > > On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote:
> > >
> > > [cut]
> > >
> > > > > Want https? great. use it. There are times when it's handy to NOT
> > > > > be obsessed with https (i.e., clock is hosed on your computer).
> > > > >
> > > > > So ... unless some developer I really respect (which is just about
> > > > > all of them1) tells me to change this, I'm not planning on
> > > > > changing the behavior of the machines.
> > > >
> > > > I did object to http->https redirects in the past, but now the web is
> > > > unusable without working https anyway and the "INSECURE openbsd.org"
> > > > shown on some browsers *is* a bit of an eyesore ...
> > > >
> > >
> > > IMHO, the fact that corporates (Google) want to dictate what is secure
> > > and what is not, is not sufficient to force everybody on https, at all
> > > times. I personally don't give a toss of what Chrome thinks of a
> > > website and its security (maybe because I have never used Chrome or
> > > because I quit google searches more than 10 years ago...).
> > >
> > > There are many cases where the overhead introduced by https is really
> > > not worth the extra bit of confidentiality you get. And we are talking
> > > here of manpages (that are installed in your system anyway) and of
> > > system sources (that are available for download at any time, even from
> > > an HTTPS mirror)...
> > >
> > > Sorry for the rant, but if I type "http://bring.me.there" I don't want
> > > to find myself at "https://we.brought.you.somewhere.else". I am not a
> > > chimp. I know what I type in my URL box. I know what I expect. And I
> > > want to be able to serve content via HTTP/1.0 if I need so.
> > >
> >
> > Exactly.
> >
> > Folks often forget, or are blissfully unaware, that Google Search itself
> > still does work over both HTTP (without the S) as well as over the legacy
> > TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
> > advice given by the Google Chrome and Mozilla teams to suppress the
> > minorities from being able to access the websites is hypocritical, to say
> > the least. /Do as I say, not as I do./
> >
> > The HTTP and TLSv1.0 traffic is mostly bots, some folks say? Surprise —
> > many bots are still controlled by good people, used to do various useful
> > things, so, you're still blocking actual people from a minority class
> from
> > having access to your website. Not to mention the older phones and
> tablets
> > with hundreds of megabytes of RAM and gigabytes of storage space that
> were
> > abandoned by their creators and don't support TLSv1.2 and/or all the
> newest
> > ciphers that are deemed to be the best practice today. The sad part is
> > that the non-profits of today (e.g., Mozilla and Wikipedia) are
> effectively
> > brokering the planned obsolescence of all these devices on behalf of the
> > respective vendors.
> >
> > C.
> >
>
> Current situation:
>
> https://www.openbsd.org/cgi-bin/man.cgi* ->
> http://man.openbsd.org/cgi-bin/man.cgi*
> https://www.openbsd.org/cgi-bin/cvsweb ->
> http://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> http://www.openbsd.org/cgi-bin/man.cgi* ->
> http://man.openbsd.org/cgi-bin/man.cgi*
> http://www.openbsd.org/cgi-bin/cvsweb ->
> http://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> What volks here thought I was asking for:
>
> https://www.openbsd.org/cgi-bin/man.cgi* ->
> https://man.openbsd.org/cgi-bin/man.cgi*
> https://www.openbsd.org/cgi-bin/cvsweb ->
> https://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> http://www.openbsd.org/cgi-bin/man.cgi* ->
> https://man.openbsd.org/cgi-bin/man.cgi*
> http://www.openbsd.org/cgi-bin/cvsweb ->
> https://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> What my actual request is:
>
> https://www.openbsd.org/cgi-bin/man.cgi* ->
> https://man.openbsd.org/cgi-bin/man.cgi*
> https://www.openbsd.org/cgi-bin/cvsweb ->
> https://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> http://www.openbsd.org/cgi-bin/man.cgi* ->
> http://man.openbsd.org/cgi-bin/man.cgi*
> http://www.openbsd.org/cgi-bin/cvsweb ->
> http://cvsweb.openbsd.org/cgi-bin/cvsweb
>
> In other words,
>
> Current configuration
> https -> http
> http -> http
>
> Not Intended configuration
> https -> https
> http -> https
>
> Intended configuration
> https -> https
> http -> http
>
> Currently, requests arriving on https as well as http ports are
> redirected to the http port. This effectively downgrades a user-agent
> from https to http, which I think may not be desirable.
>
> In the intended configuration, if a request arrives on the https port,
> it should be redirected to the https port, and not to the http port. If
> a request arrives on the http port, it should continue to be redirected
> to the http port.
>
> This nuance is conveyed from the following line in the configuration in
> my request:
> ...
> listen on * port https
> ...
>
> In terms of httpd.conf configurations:
>
> Probable Current Configuration:
>
> server "openbsd.org" {
> ...
> listen on * port http
> listen on * tls port https
> ...
> location "/cgi-bin/man.cgi*" {
> block return 301 "http://man...
> ...
> <similarly for cvsweb et al>
> ...
>
> Intended Future Configuration:
>
> server "openbsd.org" {
> ...
> listen on * port http
> ...
> location "/cgi-bin/man.cgi*" {
> block return 301 "http://man...
> ...
> <similarly for cvsweb et al>
> ...
>
> server "openbsd.org" {
> ...
> listen on * tls port https
> ...
> location "/cgi-bin/man.cgi*" {
> block return 301 "https://man...
> ...
> <similarly for cvsweb et al>
> ...
>
> As elaborated above, this change intends to only affect requests which
> originate as https. This change does not intend to affect requests which
> originate as http.
>
> So, I request you to please not redirect http to https. The idea was to
> prevent https downgrade to http. The idea was not to enable http upgrade
> to https.
>
> Au contraire, I believe openbsd.org should remain fully functional on
> http for eternity.
>
> Looking back at my original mail, I think I could have been more clear
> on what I was requesting. I can understand how this came across as the
> request to upgrade http to https.
>
> I struggle between terseness and verbosity. My bad.
>
> Dhanyavaad,
> ab
> (P.S. - this mail is a near identical copy of my reply in an off-list
> conversation that got dropped because gmx has some undiagnosable bounce
> errors when delivering to individual inboxes.)
> ---------|---------|---------|---------|---------|---------|---------|--
>