GNU bug report logs -
#56468
www.gnu.org doesn't change http: to https:
Previous Next
Reported by: Jerry Peek <jpeek <at> jpeek.com>
Date: Sat, 9 Jul 2022 17:05:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#56468: www.gnu.org doesn't change http: to https:
which was filed against the diffutils package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 56468 <at> debbugs.gnu.org.
--
56468: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56468
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
On 7/9/22 12:03, Jerry Peek wrote:
> I just clicked on an old link to
> http://www.gnu.org/software/diffutils/manual/. Then the web browser
> showed the address http://www.gnu.org/software/diffutils/manual/ and
> marked it "insecure". So I tried
> https://www.gnu.org/software/diffutils/manual/ (with an s) and the
> browser showed that address.
>
> I'm writing to suggest that you might add a redirect from
> http://www.gnu.org/software/diffutils/manual/ to
> https://www.gnu.org/software/diffutils/manual/ so that no one will get
> the "insecure" page.
Thanks for reporting this <https://bugs.gnu.org/56468>. The problem
seems to be that when contacted via the HTTP protocol, www.gnu.org
responds like the following, even though this doesn't make sense:
$ curl --head http://www.gnu.org
HTTP/1.1 200 OK
Date: Sat, 09 Jul 2022 18:55:16 GMT
Server: Apache/2.4.29
Content-Location: home.html
Vary: negotiate,accept-language,Accept-Encoding
TCN: choice
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: (null)
Accept-Ranges: bytes
Cache-Control: max-age=0
Expires: Sat, 09 Jul 2022 18:55:16 GMT
Content-Type: text/html
Content-Language: en
The problem with this response is that HTTP clients are supposed to
ignore the Strict-Transport-Security: header. That header makes sense
only in an HTTPS response. www.gnu.org should respond like this:
$ curl --head http://www.github.com
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://www.github.com/
I'm forwarding this to webmasters <at> gnu.org, who are people who can fix
this, and am closing this diffutils bug report <https://bugs.gnu.org/56468>.
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Hi --
I just clicked on an old link to
http://www.gnu.org/software/diffutils/manual/. Then the web browser
showed the address http://www.gnu.org/software/diffutils/manual/ and
marked it "insecure". So I tried
https://www.gnu.org/software/diffutils/manual/ (with an s) and the
browser showed that address.
I'm writing to suggest that you might add a redirect from
http://www.gnu.org/software/diffutils/manual/ to
https://www.gnu.org/software/diffutils/manual/ so that no one will get
the "insecure" page.
Thanks --
Jerry Peek
PS: This might be true for other pages at www.gnu.org. I haven't checked.
[Message part 5 (text/html, inline)]
This bug report was last modified 2 years and 297 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.