From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 09 13:04:58 2022 Received: (at submit) by debbugs.gnu.org; 9 Jul 2022 17:04:58 +0000 Received: from localhost ([127.0.0.1]:35851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oADt4-0005SI-Eg for submit@debbugs.gnu.org; Sat, 09 Jul 2022 13:04:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:53758) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oADs1-0005Qc-W8 for submit@debbugs.gnu.org; Sat, 09 Jul 2022 13:03:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55032) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oADs0-0006Kh-9R for bug-diffutils@gnu.org; Sat, 09 Jul 2022 13:03:52 -0400 Received: from mout.perfora.net ([74.208.4.197]:53381) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oADry-0005w7-5C for bug-diffutils@gnu.org; Sat, 09 Jul 2022 13:03:51 -0400 Received: from [192.168.0.15] ([68.2.158.122]) by mrelay.perfora.net (mreueus002 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MZBIA-1nrb3e351I-00KuG5; Sat, 09 Jul 2022 19:03:46 +0200 Content-Type: multipart/alternative; boundary="------------kqe72Rvj5nQNk0AeWolz5D19" Message-ID: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> Date: Sat, 9 Jul 2022 10:03:45 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 To: bug-diffutils@gnu.org Content-Language: en-US From: Jerry Peek Subject: www.gnu.org doesn't change http: to https: X-Provags-ID: V03:K1:V8vNPfxrK6VCPxtRY6MQusWVah6vpC0JbPxwQGxl3Voiv6BN/Le smLzpwXM1op0UuZAX7ZqqeZpBbUJPy+sRCiS6kzlDxNL0CJlSH2WIizmQx/ZdIlisMzsJq6 lO9QYqb1PXi9BB+zt1EPcLo1szfyQyUMygaOT3uqwZlVhl7OJa42qbdIRJW978KHpwl1Osj 0bRoPIMSeG9Zw8zpn1/SA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:GtxPQmmfUnA=:SxD3yXZqf3F9SMlUUfTkMr knjl95hjvOJtsodCANMf6D0CcnNrjYgh9tHUCTZK9ue8xkhSIHZXsPdKjPGg01YYkqFCyJiAw pEfkXxDtFlfrSHjs2gKWDnqKq7FeR57VhUIVn8PpE0JTXRQqgSVtCQ83U152baaD+U3EjFfik CNF0ePXWaTsD948kl4AxkEIh65KK/fs2Q8x9NHfLuJWmXpxGvXSjzd3qIb8c+Evg5LxdQk5O4 4QhA04TwCBZQgOJyI1lMhAl7d7Lro4rLkC8Bmw4MuOe0QYOke2DcFzTIfvAuLL5pSYcYTJOhH wKifMM8M6VlEoQctr6TbOhngkofHskwNHIOq2gjyijTuGANkTfWNOLQcClzSEcEzIlLnpPNVu QQ+5lAD285hRMqidkQUYGdyMtez5zajdeBNGykUbIGmYi+4Xowm/6lNSDJsqpzQ3TXzW4Sa+6 VNLz66kvRiYao7q6O2qBjzwj/RSr8Cxw6TETwtlaI3GHJWMVboXS0pf3AOJY8tMPC9oN30zNH W5nv/QyeIaNOEQXI3FELY/HbhlsrT0np3/V+EkCPE5wcQR6rZcE4J5vQNsYK0fw/hZUwkVtSd ymF+ONuTvd9vyCAbxG9F4PRyTjj4AOoAeLfles6XG2cBWuIHgr3I5JBuaCJC+qcjy/XvBwHBq LJE7CSPnbgoz4iPn0BAjvI7yY4sb/1VKsUKSzo3JhmVZloJp8BNbUYiEvA1VLXh/YXNzn4J1d NHHf1p4377vDUHF/O5L1kMjQo2veAgSvnLysQw== Received-SPF: pass client-ip=74.208.4.197; envelope-from=jpeek@jpeek.com; helo=mout.perfora.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 09 Jul 2022 13:04:57 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) This is a multi-part message in MIME format. --------------kqe72Rvj5nQNk0AeWolz5D19 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi -- I just clicked on an old link to http://www.gnu.org/software/diffutils/manual/. Then the web browser showed the address http://www.gnu.org/software/diffutils/manual/ and marked it "insecure". So I tried https://www.gnu.org/software/diffutils/manual/ (with an s) and the browser showed that address. I'm writing to suggest that you might add a redirect from http://www.gnu.org/software/diffutils/manual/ to https://www.gnu.org/software/diffutils/manual/ so that no one will get the "insecure" page. Thanks -- Jerry Peek PS: This might be true for other pages at www.gnu.org. I haven't checked. --------------kqe72Rvj5nQNk0AeWolz5D19 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi --

I just clicked on an old link to http://www.gnu.org/software/diffutils/manual/. Then the web browser showed the address http://www.gnu.org/software/diffutils/manual/ and marked it "insecure". So I tried https://www.gnu.org/software/diffutils/manual/ (with an s) and the browser showed that address.

I'm writing to suggest that you might add a redirect from http://www.gnu.org/software/diffutils/manual/ to https://www.gnu.org/software/diffutils/manual/ so that no one will get the "insecure" page.

Thanks --
Jerry Peek

PS: This might be true for other pages at www.gnu.org. I haven't checked.
--------------kqe72Rvj5nQNk0AeWolz5D19-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 09 15:04:10 2022 Received: (at 56468-done) by debbugs.gnu.org; 9 Jul 2022 19:04:10 +0000 Received: from localhost ([127.0.0.1]:35920 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oAFkP-00027a-S7 for submit@debbugs.gnu.org; Sat, 09 Jul 2022 15:04:10 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:60814) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oAFkN-00027A-0V for 56468-done@debbugs.gnu.org; Sat, 09 Jul 2022 15:04:08 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 8C8FD16016B; Sat, 9 Jul 2022 12:04:01 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 7n0zvjRiOx4D; Sat, 9 Jul 2022 12:04:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id EBF3A16016C; Sat, 9 Jul 2022 12:03:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id m0XCTzqOg-Pk; Sat, 9 Jul 2022 12:03:59 -0700 (PDT) Received: from [192.168.0.205] (ip72-206-2-24.fv.ks.cox.net [72.206.2.24]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 8DFAF16016B; Sat, 9 Jul 2022 12:03:59 -0700 (PDT) Message-ID: <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> Date: Sat, 9 Jul 2022 14:03:58 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: Content-Language: en-US To: Jerry Peek References: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> From: Paul Eggert In-Reply-To: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 56468-done Cc: webmasters@gnu.org, 56468-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 7/9/22 12:03, Jerry Peek wrote: > I just clicked on an old link to > http://www.gnu.org/software/diffutils/manual/. Then the web browser > showed the address http://www.gnu.org/software/diffutils/manual/ and > marked it "insecure". So I tried > https://www.gnu.org/software/diffutils/manual/ (with an s) and the > browser showed that address. > > I'm writing to suggest that you might add a redirect from > http://www.gnu.org/software/diffutils/manual/ to > https://www.gnu.org/software/diffutils/manual/ so that no one will get > the "insecure" page. Thanks for reporting this . The problem seems to be that when contacted via the HTTP protocol, www.gnu.org responds like the following, even though this doesn't make sense: $ curl --head http://www.gnu.org HTTP/1.1 200 OK Date: Sat, 09 Jul 2022 18:55:16 GMT Server: Apache/2.4.29 Content-Location: home.html Vary: negotiate,accept-language,Accept-Encoding TCN: choice Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Access-Control-Allow-Origin: (null) Accept-Ranges: bytes Cache-Control: max-age=0 Expires: Sat, 09 Jul 2022 18:55:16 GMT Content-Type: text/html Content-Language: en The problem with this response is that HTTP clients are supposed to ignore the Strict-Transport-Security: header. That header makes sense only in an HTTPS response. www.gnu.org should respond like this: $ curl --head http://www.github.com HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://www.github.com/ I'm forwarding this to webmasters@gnu.org, who are people who can fix this, and am closing this diffutils bug report . From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 28 15:08:57 2022 Received: (at 56468-done) by debbugs.gnu.org; 28 Jul 2022 19:08:57 +0000 Received: from localhost ([127.0.0.1]:59412 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oH8sS-0007LE-VH for submit@debbugs.gnu.org; Thu, 28 Jul 2022 15:08:57 -0400 Received: from rt.gnu.org ([74.94.156.212]:50002) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oH8sO-0007Kx-F9 for 56468-done@debbugs.gnu.org; Thu, 28 Jul 2022 15:08:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=rt-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:Subject:to; bh=ox+a0b3vwmFY1ydrdx0hq6NieMTqbNBwiSO8AIKPnK4=; b=1Ql3TLc1S7wHST/ZqlaEa3oQ0c BDH+XGuMa9xBk3iTGFkc0usixzyyiSIyFhBunA2d5RE063wTQ2QGu2CHsYGtK3EhYWZo6M8qjAHHo yCto6M7Yrzqbz6WINXlMGaQnrID1cAx63J+D9qUnDf0wONGgIqVmcr5pUC4APgsB+OWygrisw3vU1 wh6ZDVZLdaLmd9ykFIs3TRk3a1bViAUxfHDUh6yYMLTbH/AbvAsOB/Zdmp+IJyBFuY7uBbLyR4sn5 GNwnBr2STVjuzys98Kb+eBBTl8SLrjKBglLxqTzOpSnUSUhAFR2XhWXJp/I4/9fueNBqTWTSw6wFY rBcxFBdw==; Received: from www-data by rt.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1oH8sI-0002VL-Nd; Thu, 28 Jul 2022 15:08:46 -0400 Subject: [gnu.org #1853606] Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: From: "Andrew Engelbrecht via RT" In-Reply-To: <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> References: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> Message-ID: X-RT-Loop-Prevention: gnu.org X-RT-Ticket: gnu.org #1853606 X-Managed-BY: RT 4.2.16-14-g9a593ee (http://www.bestpractical.com/rt/) X-RT-Originator: andrew@fsf.org Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Precedence: bulk Date: Thu, 28 Jul 2022 15:08:46 -0400 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Sat Jul 09 15:04:09 2022, eggert@CS.UCLA.EDU wrote: > On 7/9/22 12:03, Jerry Peek wrote: > > I just clicked on an old link to > > http://www.gnu.org/software/diffutils/manual/. Then the web browser [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.2 MISSING_HEADERS Missing To: header -0.0 SPF_PASS SPF: sender matches SPF record X-Debbugs-Envelope-To: 56468-done Cc: eggert@cs.ucla.edu, 56468-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sysadmin@gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.2 (/) On Sat Jul 09 15:04:09 2022, eggert@CS.UCLA.EDU wrote: > On 7/9/22 12:03, Jerry Peek wrote: > > I just clicked on an old link to > > http://www.gnu.org/software/diffutils/manual/. Then the web browser > > showed the address http://www.gnu.org/software/diffutils/manual/ and > > marked it "insecure". So I tried > > https://www.gnu.org/software/diffutils/manual/ (with an s) and the > > browser showed that address. > > > > I'm writing to suggest that you might add a redirect from > > http://www.gnu.org/software/diffutils/manual/ to > > https://www.gnu.org/software/diffutils/manual/ so that no one will get > > the "insecure" page. Hi, Sorry about the delayed reply. We want to support both HTTPS and HTTP, for those who are using old browsers with outdated ciphers, etc. The HSTS rule is there for people who do visit the HTTPS site, so they will automatically use it in the future. I would personally lean towards more HTTPS, but so far, gnu.org is an exception to that. More discussion is welcome. Thanks, Andrew From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 28 16:24:10 2022 Received: (at 56468) by debbugs.gnu.org; 28 Jul 2022 20:24:10 +0000 Received: from localhost ([127.0.0.1]:59472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHA3F-0000uz-QQ for submit@debbugs.gnu.org; Thu, 28 Jul 2022 16:24:10 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:39830) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHA3C-0000uU-90 for 56468@debbugs.gnu.org; Thu, 28 Jul 2022 16:24:08 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 02EB11600D4; Thu, 28 Jul 2022 13:24:00 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id QXtW0TeXSuQT; Thu, 28 Jul 2022 13:23:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 0D7601600D9; Thu, 28 Jul 2022 13:23:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IHmDY5N5A5ad; Thu, 28 Jul 2022 13:23:58 -0700 (PDT) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id D69701600D4; Thu, 28 Jul 2022 13:23:58 -0700 (PDT) Message-ID: <03cefc43-4f93-eda2-328f-1852d312105c@cs.ucla.edu> Date: Thu, 28 Jul 2022 13:23:58 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: sysadmin@gnu.org References: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [gnu.org #1853606] Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 56468 Cc: jpeek@jpeek.com, 56468@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 7/28/22 12:08, Andrew Engelbrecht via RT wrote: > We want to support both HTTPS and HTTP, for those who are using old browsers with outdated ciphers, etc. The HSTS rule is there for people who do visit the HTTPS site, so they will automatically use it in the future. That sort of thing made sense years ago. But nowadays all the top websites (google.com, youtube.com, facebook.com, wikipedia.org, twitter.com, reddit.com, amazon.com, etc.) redirect HTTP to HTTPS. For example: $ curl --head http://wikipedia.org HTTP/1.1 301 TLS Redirect Date: Thu, 28 Jul 2022 20:21:38 GMT Server: Varnish X-Varnish: 376727111 X-Cache: cp4029 int X-Cache-Status: int-front Server-Timing: cache;desc="int-front", host;desc="cp4029" Permissions-Policy: interest-cohort=() Set-Cookie: WMF-Last-Access=28-Jul-2022;Path=/;HttpOnly;secure;Expires=Mon, 29 Aug 2022 12:00:00 GMT Set-Cookie: WMF-Last-Access-Global=28-Jul-2022;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Mon, 29 Aug 2022 12:00:00 GMT X-Client-IP: 2603:8001:6407:db8d:2280:c8bd:bd1c:bace Location: https://wikipedia.org/ Content-Length: 0 Connection: keep-alive Essentially nobody uses browsers so old that they can't handle this, so gnu.org might as well do what major websites do. That way, we won't confuse and/or discourage ordinary users like the person who filed GNU Bug#56488. From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 28 19:04:33 2022 Received: (at 56468) by debbugs.gnu.org; 28 Jul 2022 23:04:33 +0000 Received: from localhost ([127.0.0.1]:59587 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHCYS-0005JG-Lt for submit@debbugs.gnu.org; Thu, 28 Jul 2022 19:04:32 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:57838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHCYQ-0005J1-Pa for 56468@debbugs.gnu.org; Thu, 28 Jul 2022 19:04:31 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5585D1600E5; Thu, 28 Jul 2022 16:04:25 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 2U6Ec2hxcsGH; Thu, 28 Jul 2022 16:04:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 1D2691600EB; Thu, 28 Jul 2022 16:04:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 5TPDwVxPcH6h; Thu, 28 Jul 2022 16:04:24 -0700 (PDT) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id E86861600E5; Thu, 28 Jul 2022 16:04:23 -0700 (PDT) Message-ID: <7ae0b156-df92-8eac-8509-818caa487b22@cs.ucla.edu> Date: Thu, 28 Jul 2022 16:04:22 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: sysadmin@gnu.org References: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> <03cefc43-4f93-eda2-328f-1852d312105c@cs.ucla.edu> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [gnu.org #1853606] Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 56468 Cc: 56468@debbugs.gnu.org, jpeek@jpeek.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 7/28/22 15:16, Ian Kelling via RT wrote: > If you > can figure out a good test on the user agent string, please > let us know. Another possibility is to have the HTTP page load a script from HTTPS, and if that loads and runs correctly, have the script redirect to HTTPS. Or the script could do a more-elaborate test, such as checking whether the browser supports SNI. This should work for the use case prompting the bug report (a casual user on a modern browser), while not affecting ancient browsers, curl, etc. And it'd mean you wouldn't need to worry about maintaining a test based on user agent strings. There's a 10-year-old serverfault post about doing this with SNI, here: https://serverfault.com/questions/389806/redirect-to-ssl-only-if-browser-supports-sni If you don't like the idea of a script, that post also talks about whitelisting user agents known to support SNI, whicch is more the sort of thing you're asking for. From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 29 14:39:45 2022 Received: (at 56468) by debbugs.gnu.org; 29 Jul 2022 18:39:45 +0000 Received: from localhost ([127.0.0.1]:33453 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHUtk-0006TL-LS for submit@debbugs.gnu.org; Fri, 29 Jul 2022 14:39:45 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45970) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oHUtg-0006T3-EF for 56468@debbugs.gnu.org; Fri, 29 Jul 2022 14:39:43 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id DE28C160106; Fri, 29 Jul 2022 11:39:34 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 7apzgZQghnX9; Fri, 29 Jul 2022 11:39:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id A94CB160120; Fri, 29 Jul 2022 11:39:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id B_4Wx_1lgi4r; Fri, 29 Jul 2022 11:39:33 -0700 (PDT) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 7BEEE160106; Fri, 29 Jul 2022 11:39:33 -0700 (PDT) Message-ID: <81c8cf27-fb25-2e70-2530-fc9673426520@cs.ucla.edu> Date: Fri, 29 Jul 2022 11:39:33 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: Jerry Peek References: <46986a26-ec48-b5fd-656f-ef6d2f381193@jpeek.com> <898d91f1-3fd8-69e0-4535-ff8946416526@cs.ucla.edu> <03cefc43-4f93-eda2-328f-1852d312105c@cs.ucla.edu> <567583e8-1625-6bee-aac2-0049c653414c@jpeek.com> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [gnu.org #1853606] Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: In-Reply-To: <567583e8-1625-6bee-aac2-0049c653414c@jpeek.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 56468 Cc: sysadmin@gnu.org, 56468@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 7/29/22 00:09, Jerry Peek wrote: > I just pasted http://www.gnu.org/software/diffutils/manual/ into the > address bar on the latest version of six browsers: Firefox, Opera and > Microsoft Edge under Windows 10 and Firefox, Opera and DuckDuckGo > Privacy Browser under Android 12. All ended up with the address > https://www.gnu.org/software/diffutils/manual/ and a padlock or > checkmark showing a "secure" page. > > Under older versions of Cygwin on Windows 10 (I'm not sure how to find > the Cygwin version), with GNU wget 1.21.1 and curl 7.76.0, that same > address did not seem to redirect to https: Yes, I think that was the intent of the recent change. That is, www.gnu.org now acts more like www.google.com (and as you observed, not like www.wikipedia.org; see below). Whether this is the "best" is a matter of opinion, but clearly www.gnu.org is now in good company. http://www.gnu.org is outputting a useless Strict-Transport-Security: header but as far as I know that's merely an inefficiency, not a bug. $ curl --head http://www.gnu.org HTTP/1.1 200 OK Date: Fri, 29 Jul 2022 18:24:51 GMT Server: Apache/2.4.29 Content-Location: home.html Vary: negotiate,accept-language,Accept-Encoding TCN: choice Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Access-Control-Allow-Origin: (null) Accept-Ranges: bytes Cache-Control: max-age=0 Expires: Fri, 29 Jul 2022 18:24:51 GMT Content-Type: text/html Content-Language: en $ curl --head http://www.google.com HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 29 Jul 2022 18:24:59 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Transfer-Encoding: chunked Expires: Fri, 29 Jul 2022 18:24:59 GMT Cache-Control: private Set-Cookie: 1P_JAR=2022-07-29-18; expires=Sun, 28-Aug-2022 18:24:59 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=AakniGNul8AgwlW6sC5rGWuEvD--cweQ2yad1Ikhxj26O6Ch8rBqoR-UOME; expires=Wed, 25-Jan-2023 18:24:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=511=Yz43SAbjtYepJ9nfKqIqYjWR8jRXOtsC-M9HjFxCcycnwg5msMBkCZan5pfszqFU9umKm50lEvR14itBCequZk0xxIONvmoGa2mY3rku-ncBRywiX8T86qX_p7Elcl5exzGTLlDbDelFxQv7bBDw0os8bovMYIUSnP8izGWI0-A; expires=Sat, 28-Jan-2023 18:24:59 GMT; path=/; domain=.google.com; HttpOnly $ curl --head http://www.wikipedia.org HTTP/1.1 301 TLS Redirect Date: Fri, 29 Jul 2022 18:25:09 GMT Server: Varnish X-Varnish: 123005163 X-Cache: cp1077 int X-Cache-Status: int-front Server-Timing: cache;desc="int-front", host;desc="cp1077" Permissions-Policy: interest-cohort=() Set-Cookie: WMF-Last-Access=29-Jul-2022;Path=/;HttpOnly;secure;Expires=Tue, 30 Aug 2022 12:00:00 GMT Set-Cookie: WMF-Last-Access-Global=29-Jul-2022;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Tue, 30 Aug 2022 12:00:00 GMT X-Client-IP: 2603:8001:6407:db8d:a841:5d39:9c4c:b408 Location: https://www.wikipedia.org/ Content-Length: 0 Connection: keep-alive From unknown Sat Jun 21 03:19:15 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 27 Aug 2022 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator