From owner-freebsd-questions@FreeBSD.ORG Fri Apr 3 17:59:32 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35A06781 for ; Fri, 3 Apr 2015 17:59:32 +0000 (UTC) Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0E439C6C for ; Fri, 3 Apr 2015 17:59:31 +0000 (UTC) Received: by iedfl3 with SMTP id fl3so107721093ied.1 for ; Fri, 03 Apr 2015 10:59:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dvqD2F5HY3H0j2cjaps4PqzHRn2lNUPzSuzm/PVqUVA=; b=tUPyHDnVXCSacaQqETPu7bG6Md9T7fVJOD5ICTC63akdjq5uC9t0n9aM6WerbvP1oF Ej7ORpYTK+VxRFUZ1WFkubH5gng1+wYr92z4fOjqeekGlkSGJeKuhsZ2fFTXAS8Tn3Gb J1wWWocPvZRl0e50IN9PSXekovgmNUjjdEslN1lWyasEcjD4QoO3jb86SQWAJwaA68aw +otZnQssiBt5wcwvNItzj2+WpIE3sbVMiVRfDZ1pq0QccpzWKJ9fc5bFdna3bUYeAqa8 zZyYbX48UH5b/XS8o2VRx0di9+RFdbyGldrYw3RDbW2KX/dtCJ3Hd1XK77n8MevfKsvM XRtg== MIME-Version: 1.0 X-Received: by 10.42.171.193 with SMTP id k1mr5287943icz.67.1428083971377; Fri, 03 Apr 2015 10:59:31 -0700 (PDT) Received: by 10.64.223.170 with HTTP; Fri, 3 Apr 2015 10:59:31 -0700 (PDT) Date: Fri, 3 Apr 2015 09:59:31 -0800 Message-ID: Subject: Re: Why does FreeBSD insist on https? From: Dieter BSD To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 17:59:32 -0000 > Why do so many FreeBSD URLs redirect from http to https? > What is this intended to accomplish? > > This is user-hostile. Some browsers cannot do https, and there are > good reasons (unrelated to http vs https) to use these browsers. > There are also good reasons to prefer http over https even with a browser > that can do https. Https is useful when needed, but it isn't needed here. > > Can someone *please* fix this? Maxim replies: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack\ -browsers-in-github-attack I complain about unnecessary https so of course you offer a https link. Very useful. Thank you. >From what I've read about that attack there are better ways to prevent it than using https. (I'll leave that as a exercise for the reader.) Charles replies: > Security? Confidentiality? For information that is openly published? > Strong(er) assurance of content integrity? Maybe slightly. But it should be the user's choice. > There are an increasing # of transparent proxies which rewrite > content, inject ads, even inject malware for HTTP which are foiled > by switching to HTTPS + HSTS (HTTP Strict Transport Security). Perhaps. For the moment. How long until the bad guys find a way to get around the https/hsts speed bump? Probably not very long, if they haven't already. Word is that some people *have* already found ways around the speed bump. > Any browser which does not support HTTPS is either obsolete or simply > missing critical functionality. Ya, ya, kids today consider anything more than 5ns old obsolete. Doesn't make it so. I have tried a LOT of browsers and they ALL lack important functionality. Most were so broken they were completely unusable. I've fixed bug in browsers and made enhancements to them. Had to fix well over 1000 bugs in one browser before I managed to get it to compile. > Your bank, online stores, utilities, > almost any site with a login are all going to require HTTPS. There are plenty of sites with logins that do not require https. Again, this is information that is openly published. In many, possibly all, cases the URLs used to work properly with http. Terje replies: > If it's causing you any actual trouble It is. Original message is quoted above, read it again, and don't assume I'm looking for an argument, or abuse. I'm not suggesting that the ability to do https be taken away. Those who want https can type https. I'm only saying that the website should honor http for those who prefer or need it.