GNU bug report logs - #56468
www.gnu.org doesn't change http: to https:

Previous Next

Full log

Message #22 received at 56468 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Jerry Peek <jpeek <at> jpeek.com>
Cc: sysadmin <at> gnu.org, 56468 <at> debbugs.gnu.org
Subject: Re: [gnu.org #1853606] Re: [bug-diffutils] bug#56468: www.gnu.org
 doesn't change http: to https:
Date: Fri, 29 Jul 2022 11:39:33 -0700

On 7/29/22 00:09, Jerry Peek wrote:
> I just pasted http://www.gnu.org/software/diffutils/manual/ into the 
> address bar on the latest version of six browsers: Firefox, Opera and 
> Microsoft Edge under Windows 10 and Firefox, Opera and DuckDuckGo 
> Privacy Browser under Android 12. All ended up with the address 
> https://www.gnu.org/software/diffutils/manual/ and a padlock or 
> checkmark showing a "secure" page.
> 
> Under older versions of Cygwin on Windows 10 (I'm not sure how to find 
> the Cygwin version), with GNU wget 1.21.1 and curl 7.76.0, that same 
> address did not seem to redirect to https:

Yes, I think that was the intent of the recent change. That is, 
www.gnu.org now acts more like www.google.com (and as you observed, not 
like www.wikipedia.org; see below). Whether this is the "best" is a 
matter of opinion, but clearly www.gnu.org is now in good company.

http://www.gnu.org is outputting a useless Strict-Transport-Security: 
header but as far as I know that's merely an inefficiency, not a bug.


$ curl --head http://www.gnu.org
HTTP/1.1 200 OK
Date: Fri, 29 Jul 2022 18:24:51 GMT
Server: Apache/2.4.29
Content-Location: home.html
Vary: negotiate,accept-language,Accept-Encoding
TCN: choice
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: (null)
Accept-Ranges: bytes
Cache-Control: max-age=0
Expires: Fri, 29 Jul 2022 18:24:51 GMT
Content-Type: text/html
Content-Language: en

$ curl --head http://www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Fri, 29 Jul 2022 18:24:59 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Expires: Fri, 29 Jul 2022 18:24:59 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2022-07-29-18; expires=Sun, 28-Aug-2022 18:24:59 GMT; 
path=/; domain=.google.com; Secure
Set-Cookie: 
AEC=AakniGNul8AgwlW6sC5rGWuEvD--cweQ2yad1Ikhxj26O6Ch8rBqoR-UOME; 
expires=Wed, 25-Jan-2023 18:24:59 GMT; path=/; domain=.google.com; 
Secure; HttpOnly; SameSite=lax
Set-Cookie: 
NID=511=Yz43SAbjtYepJ9nfKqIqYjWR8jRXOtsC-M9HjFxCcycnwg5msMBkCZan5pfszqFU9umKm50lEvR14itBCequZk0xxIONvmoGa2mY3rku-ncBRywiX8T86qX_p7Elcl5exzGTLlDbDelFxQv7bBDw0os8bovMYIUSnP8izGWI0-A; 
expires=Sat, 28-Jan-2023 18:24:59 GMT; path=/; domain=.google.com; HttpOnly

$ curl --head http://www.wikipedia.org
HTTP/1.1 301 TLS Redirect
Date: Fri, 29 Jul 2022 18:25:09 GMT
Server: Varnish
X-Varnish: 123005163
X-Cache: cp1077 int
X-Cache-Status: int-front
Server-Timing: cache;desc="int-front", host;desc="cp1077"
Permissions-Policy: interest-cohort=()
Set-Cookie: 
WMF-Last-Access=29-Jul-2022;Path=/;HttpOnly;secure;Expires=Tue, 30 Aug 
2022 12:00:00 GMT
Set-Cookie: 
WMF-Last-Access-Global=29-Jul-2022;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Tue, 
30 Aug 2022 12:00:00 GMT
X-Client-IP: 2603:8001:6407:db8d:a841:5d39:9c4c:b408
Location: https://www.wikipedia.org/
Content-Length: 0
Connection: keep-alive

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.