openbsd.org - certain https URLs downgraded to http in redirection

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

openbsd.org - certain https URLs downgraded to http in redirection

Aham Brahmasmi
Namaste misc,

Overview:
Certain https URLs on openbsd.org get downgraded to http in redirection.

Steps:
When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.

Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
http://cvsweb.openbsd.org/cgi-bin/cvsweb/.

Probable Solution:
Would we benefit from changing our httpd.conf to
...
        listen on * port https
...
        location "/cgi-bin/man.cgi*" {
                block return 301 "https://man...
...
<similarly for cvsweb et al>
...

This is similar to the recommended httpd.conf for OpenBSD mirrors [2].

Dhanyavaad,
ab
[1] - These URLs are among the top search results for the search terms
"openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
non-evil web search engine.
[2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5&content-type=text/x-cvsweb-markup
---------|---------|---------|---------|---------|---------|---------|--

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

Sebastian Benoit
Aham Brahmasmi([hidden email]) on 2020.02.12 10:34:55 +0100:

> Namaste misc,
>
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
>
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
>
> Probable Solution:
> Would we benefit from changing our httpd.conf to
> ...
>         listen on * port https
> ...
>         location "/cgi-bin/man.cgi*" {
>                 block return 301 "https://man...
> ...
> <similarly for cvsweb et al>
> ...
>
> This is similar to the recommended httpd.conf for OpenBSD mirrors [2].
>
> Dhanyavaad,
> ab
> [1] - These URLs are among the top search results for the search terms
> "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
> non-evil web search engine.
> [2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5&content-type=text/x-cvsweb-markup

Thanks for noticing this.

These two services are run by volunteers, and it's up to them how to provide
the service.

If you want to keep it secret what manpage you are looking at or what src
file you are reading, OpenBSD comes with fine command line tools that dont
need network access after initial installation.

Best regards,
B.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

Nick Holland
In reply to this post by Aham Brahmasmi
Sorry, took a look at this a while back when I didn't have time to
fully work through it...and then forgot about it. ;-/

On 2020-02-12 04:34, Aham Brahmasmi wrote:

> Namaste misc,
>
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
>
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.

I Google for "openbsd man", I end up with a link to
httpS://man.openbsd.org.
and it takes me to man.openbsd.org via httpS.

I duckduckgo.com for "openbsd man", same thing.
(yay.  I just used a website as a verb.)

Google does seem to show a link for httpS://cvsweb.openbsd.org, but
tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not
and does what you would expect and hope.

Looking at the page source for the google return, it DOES appear to
be sending the browser to http://, so everything is working as
designed.  Is there a problem?  Yes -- google is aware https://
those sites exists, but doesn't actually send users to them.
Apparently your favorite search engine does as well.  Perhaps it
isn't as privacy friendly as you are thinking it is.  The problem
isn't with the websites, it's with where the search engine is
sending the user.

You want it changed so that when someone clicks on a link, they go
somewhere OTHER than where that link sends them?  I understand your
goal (everything should be HTTPS!!), but I don't really like the
idea of "click here, go elsewhere".

Want https? great. use it.  There are times when it's handy to NOT
be obsessed with https (i.e., clock is hosed on your computer).  

So ... unless some developer I really respect (which is just about
all of them1) tells me to change this, I'm not planning on
changing the behavior of the machines.

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

Stuart Henderson
On 2020-02-25, Nick Holland <[hidden email]> wrote:

> Sorry, took a look at this a while back when I didn't have time to
> fully work through it...and then forgot about it. ;-/
>
> On 2020-02-12 04:34, Aham Brahmasmi wrote:
>> Namaste misc,
>>
>> Overview:
>> Certain https URLs on openbsd.org get downgraded to http in redirection.
>>
>> Steps:
>> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
>> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>>
>> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
>
> I Google for "openbsd man", I end up with a link to
> httpS://man.openbsd.org.
> and it takes me to man.openbsd.org via httpS.
>
> I duckduckgo.com for "openbsd man", same thing.
> (yay.  I just used a website as a verb.)
>
> Google does seem to show a link for httpS://cvsweb.openbsd.org, but
> tosses the browser at http://cvsweb.openbsd.org. DuckDuckGo does not
> and does what you would expect and hope.

Google has https://www.openbsd.org/cgi-bin/cvsweb/, not
https://cvsweb.openbsd.org.

> Looking at the page source for the google return, it DOES appear to
> be sending the browser to http://, so everything is working as
> designed.  Is there a problem?  Yes -- google is aware https://
> those sites exists, but doesn't actually send users to them.
>
> Apparently your favorite search engine does as well.  Perhaps it
> isn't as privacy friendly as you are thinking it is.  The problem
> isn't with the websites, it's with where the search engine is
> sending the user.

The problem *is* with the website (specifically www.openbsd.org, not
man/cvsweb). It redirects the old cgi-bin URLs to http versions whatever
protocol the request came in on.

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/cvsweb/
Trying 129.128.5.194...
Requesting https://www.openbsd.org/cgi-bin/cvsweb/
Redirected to http://cvsweb.openbsd.org/cgi-bin/cvsweb/
Trying 128.100.17.243...
Requesting http://cvsweb.openbsd.org/cgi-bin/cvsweb/
2607 bytes received in 0.01 seconds (265.55 KB/s)

$ ftp -o/dev/null https://www.openbsd.org/cgi-bin/man.cgi
Trying 129.128.5.194...
Requesting https://www.openbsd.org/cgi-bin/man.cgi
Redirected to http://man.openbsd.org/cgi-bin/man.cgi
Trying 128.100.17.244...
Requesting http://man.openbsd.org/cgi-bin/man.cgi
5590 bytes received in 0.00 seconds (1.55 MB/s)

> You want it changed so that when someone clicks on a link, they go
> somewhere OTHER than where that link sends them?  I understand your
> goal (everything should be HTTPS!!), but I don't really like the
> idea of "click here, go elsewhere".
>
> Want https? great. use it.  There are times when it's handy to NOT
> be obsessed with https (i.e., clock is hosed on your computer).  
>
> So ... unless some developer I really respect (which is just about
> all of them1) tells me to change this, I'm not planning on
> changing the behavior of the machines.

I did object to http->https redirects in the past, but now the web is
unusable without working https anyway and the "INSECURE openbsd.org"
shown on some browsers *is* a bit of an eyesore ...

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

KatolaZ
On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote:

[cut]

> > Want https? great. use it.  There are times when it's handy to NOT
> > be obsessed with https (i.e., clock is hosed on your computer).  
> >
> > So ... unless some developer I really respect (which is just about
> > all of them1) tells me to change this, I'm not planning on
> > changing the behavior of the machines.
>
> I did object to http->https redirects in the past, but now the web is
> unusable without working https anyway and the "INSECURE openbsd.org"
> shown on some browsers *is* a bit of an eyesore ...
>

IMHO, the fact that corporates (Google) want to dictate what is secure
and what is not, is not sufficient to force everybody on https, at all
times. I personally don't give a toss of what Chrome thinks of a
website and its security (maybe because I have never used Chrome or
because I quit google searches more than 10 years ago...).

There are many cases where the overhead introduced by https is really
not worth the extra bit of confidentiality you get. And we are talking
here of manpages (that are installed in your system anyway) and of
system sources (that are available for download at any time, even from
an HTTPS mirror)...

Sorry for the rant, but if I type "http://bring.me.there" I don't want
to find myself at "https://we.brought.you.somewhere.else". I am not a
chimp. I know what I type in my URL box. I know what I expect. And I
want to be able to serve content via HTTP/1.0 if I need so.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

greg
February 25, 2020 11:32 PM, "Vincenzo Nicosia" <[hidden email]> wrote:

> There are many cases where the overhead introduced by https is really
> not worth the extra bit of confidentiality you get.

It's not just about confidentiality - https also ensures integrity, and
prevents nefarious network operators (ie. your ISP) from altering your
requested web pages to insert ads or other malware. This happens more often
than you might expect.

Fortunately, the wide adoption of https has made these sorts of evil content
alteration less appealing.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd.org - certain https URLs downgraded to http in redirection

Constantine A. Murenin
In reply to this post by KatolaZ
On Tue, 25 Feb 2020 at 04:35, Vincenzo Nicosia <[hidden email]> wrote:

> On Tue, Feb 25, 2020 at 07:57:24AM -0000, Stuart Henderson wrote:
>
> [cut]
>
> > > Want https? great. use it.  There are times when it's handy to NOT
> > > be obsessed with https (i.e., clock is hosed on your computer).
> > >
> > > So ... unless some developer I really respect (which is just about
> > > all of them1) tells me to change this, I'm not planning on
> > > changing the behavior of the machines.
> >
> > I did object to http->https redirects in the past, but now the web is
> > unusable without working https anyway and the "INSECURE openbsd.org"
> > shown on some browsers *is* a bit of an eyesore ...
> >
>
> IMHO, the fact that corporates (Google) want to dictate what is secure
> and what is not, is not sufficient to force everybody on https, at all
> times. I personally don't give a toss of what Chrome thinks of a
> website and its security (maybe because I have never used Chrome or
> because I quit google searches more than 10 years ago...).
>
> There are many cases where the overhead introduced by https is really
> not worth the extra bit of confidentiality you get. And we are talking
> here of manpages (that are installed in your system anyway) and of
> system sources (that are available for download at any time, even from
> an HTTPS mirror)...
>
> Sorry for the rant, but if I type "http://bring.me.there" I don't want
> to find myself at "https://we.brought.you.somewhere.else". I am not a
> chimp. I know what I type in my URL box. I know what I expect. And I
> want to be able to serve content via HTTP/1.0 if I need so.
>

Exactly.

Folks often forget, or are blissfully unaware, that Google Search itself
still does work over both HTTP (without the S) as well as over the legacy
TLSv1.0 HTTPS, so, the propaganda efforts and the destructive webmaster
advice given by the Google Chrome and Mozilla teams to suppress the
minorities from being able to access the websites is hypocritical, to say
the least.  /Do as I say, not as I do./

The HTTP and TLSv1.0 traffic is mostly bots, some folks say?  Surprise —
many bots are still controlled by good people, used to do various useful
things, so, you're still blocking actual people from a minority class from
having access to your website.  Not to mention the older phones and tablets
with hundreds of megabytes of RAM and gigabytes of storage space that were
abandoned by their creators and don't support TLSv1.2 and/or all the newest
ciphers that are deemed to be the best practice today.  The sad part is
that the non-profits of today (e.g., Mozilla and Wikipedia) are effectively
brokering the planned obsolescence of all these devices on behalf of the
respective vendors.

C.