From owner-freebsd-questions@FreeBSD.ORG Fri Apr 3 21:53:16 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D02C1565 for ; Fri, 3 Apr 2015 21:53:16 +0000 (UTC) Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 81BE68F9 for ; Fri, 3 Apr 2015 21:53:16 +0000 (UTC) Received: by qcbii10 with SMTP id ii10so74245708qcb.2 for ; Fri, 03 Apr 2015 14:53:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=c+0KE+DpSc3iiKptEpMt0UcuDFb+7GWyPiauP0lEo5g=; b=S+klzrmGd+l8JVJz7AXDmAo3EMkb3QRS4RK60ixpXp0qqw66gqN9PQzNyXRL66aoLE 2VUgFrM0Vw4EF+1feMYJNLmfMPtxrtoh48DvdzdkKUpJfV/m6UZfeWTiW5qs1Jh2/Plq vFLY3DqlzPwHPZ4NYtEp+3PuVr3illCXtRaena1vGPtgcHKWzT28xdzfqtliFTyzd7gh jza8PNYwShboNZdsgx+vV2Py4jNmha6DmWdYU6nL1U0JZOQ49OxwkB1gpW7O4aVLbImx qru63aRZIKmMwho7VnUeIMIpo3iA8CCeEYBI/PmoMwxg2jYaWFLGFOeMzoQbsX8/pcwb PQDQ== X-Received: by 10.55.22.194 with SMTP id 63mr8233495qkw.3.1428097995481; Fri, 03 Apr 2015 14:53:15 -0700 (PDT) Received: from localhost.localdomain ([209.181.150.218]) by mx.google.com with ESMTPSA id b17sm6489863qka.11.2015.04.03.14.53.13 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Apr 2015 14:53:14 -0700 (PDT) Message-ID: <551F0BC9.1050405@gmail.com> Date: Fri, 03 Apr 2015 15:53:13 -0600 From: jd1008 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Why does FreeBSD insist on https? References: <551DA84D.8030205@gmail.com> <20150402222539.37e330f8@gumby.homeunix.com> <551DC4F7.5090005@gmail.com> <551E4F43.1060109@bluerosetech.com> In-Reply-To: <551E4F43.1060109@bluerosetech.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 21:53:16 -0000 On 04/03/2015 02:28 AM, Mel Pilgrim wrote: > On 2015-04-03 00:32, Nino J wrote: >> Just bear in mind that the OP mentioned redirect to https. That means >> that >> the initial request to the exact URL (i.e. before being redirected and >> switching to https) is visible. > > Which is why we have HSTS. Packaged HSTS lists prevent the browser > from ever sending an uncrypted URL. > > ________ Unfortunately, too many web sites do not have HSTS installed in the http server. I have seen it in many web sites.