On Thu, Aug 31, 2017 at 11:42:51AM +0200, Paul Menzel wrote:
> Dear suckless folks,
>
>
> On 08/31/17 11:36, ilf wrote:
> > Hiltjo Posthuma:
> > > I'm not a fan of automatic http to HTTPs redirects. It would break
> > > support for some text-based clients or some simple scripts as an
> > > example.
> >
> > I'm a huge fan of these redirects. A simple 301 Moved Permanently has
> > been part of RFC 2616 sinde 1999 and anything not able to handle that is
> > broken: https://tools.ietf.org/html/rfc2616#section-10.3.2
> >
> > Can you tell which clients and scripts break and how?
>
> I understood it the way, that there might be programs not being able to deal
> with TLS.
>
Indeed thats what I meant.
> > > HSTS support makes sure http to https links are changed on the
> > > client-side.
> >
> > Some privacy-settings clean all states on exit, including cookes and
> > HSTS. And people mostly type domains into an URL bar, not protocols.
>
> Two more options would be DNSSEC/DANE for the Web service [1] and HTTPS
> Everywhere [2].
>
I agree or just a simple HTTPs browser bookmark. I think thats better on many
levels, for example otherwise someone can also spoof a plain HTTP redirect.
--
Kind regards,
Hiltjo
Received on Thu Aug 31 2017 - 14:30:01 CEST