From owner-freebsd-questions@FreeBSD.ORG Sat Apr 4 01:22:09 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D186843 for ; Sat, 4 Apr 2015 01:22:09 +0000 (UTC) Received: from mail.parts-unknown.org (mail.parts-unknown.org [50.250.218.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1785D9D for ; Sat, 4 Apr 2015 01:22:08 +0000 (UTC) Received: by mail.parts-unknown.org (Postfix, from userid 80) id DE4565B3BD24; Fri, 3 Apr 2015 18:22:07 -0700 (PDT) Received: from mail.parts-unknown.org (mail.parts-unknown.org [2001:470:67:119::4]) by mail.parts-unknown.org (Horde Framework) with HTTP; Fri, 03 Apr 2015 18:22:07 -0700 Date: Fri, 03 Apr 2015 18:22:07 -0700 Message-ID: <20150403182207.Horde.4tWAInV2MEGqMujCj2DYHw8@mail.parts-unknown.org> From: David Benfell To: freebsd-questions@freebsd.org Subject: Re: Why does FreeBSD insist on https? References: <551DA84D.8030205@gmail.com> <20150402222539.37e330f8@gumby.homeunix.com> <551DC4F7.5090005@gmail.com> <551E4F43.1060109@bluerosetech.com> <551F0BC9.1050405@gmail.com> In-Reply-To: <551F0BC9.1050405@gmail.com> User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_cgGFZjL3kRlnMRU_RSdQ5A1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Apr 2015 01:22:09 -0000 This message is in MIME format and has been PGP signed. --=_cgGFZjL3kRlnMRU_RSdQ5A1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting jd1008 : > On 04/03/2015 02:28 AM, Mel Pilgrim wrote: >> On 2015-04-03 00:32, Nino J wrote: >>> Just bear in mind that the OP mentioned redirect to https. That means t= hat >>> the initial request to the exact URL (i.e. before being redirected and >>> switching to https) is visible. >> >> Which is why we have HSTS. Packaged HSTS lists prevent the browser=20= =20 >>=20from ever sending an uncrypted URL. >> >> ________ > Unfortunately, too many web sites do not have HSTS installed in the=20=20 >=20http server. > I have seen it in many web sites. I've been using Qualys SSL Check to catch details like this. The word=20=20 probably=20*does* need to be put out better that you have not properly=20= =20 configured=20a web site unless you've visited a site like this and=20=20 checked. --=20 David Benfell --=_cgGFZjL3kRlnMRU_RSdQ5A1 Content-Type: application/pgp-signature Content-Description: PGP Digital Signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVHzy/AAoJEBV64x4SNmAr6/UP/2XDccPaApI4yA+DNsgAa3MK zbpgk2w/5e4vLNgV2qMRvzgyF3zGx41WVVZERHv/ZaVfphJ/qP+QuIZZrx0SiepV V8ZFqtHZB+lRV2RMs3A6qrI9CAd+rfA8G4pk6W9eFJkZDU/8tLjuK6t96NAqxXI7 YZe7jqi7EqTFHRJdgZxlFEHsEDhLaIAWnASMmOqDHpcBb4o0A3bhPLvh8VMZEG2g E9LQN0qTZ0THhiNCLM3fgJkHDnN+nfWbapWA5gg7IHes/bTXsHJMxbbSH3cUA3w5 cqZ2lmuzsqUhABYnCso0z6VOpO/nVDjRI1BbxkJUP5C+ODnsZ/5wV4EMPJpYfxlK GALx6r2rwsl/MSzXMrk86H/dq13RydDU3eHIJHHvLlWs5eQffN04TL4ERx4Xc0Fb C9WvxjWnavZfZkSdfY53myuovwaVVO8oUQuP0/qaA3Hk29M89rcz+hoZW8NLy124 6kYyhalB9QuhUlLlAbvJLAmqDP+O0vIurcU9yXpoUBaOUbXMR/BxV4tJxAPEcBi9 w4iiT7SmPn91DtzHSV1uXhlW0/Pdi4bSlESzoq16OcVhG2Gvhm3aDHPeoAQXC1mH B7mqwbLHNcjdqsDGn2i5rfk01MI5ewaPdnsecP745r5zyYIcxnnkXrzmQ1e986Qg ZE4rribjJk8uP1RmgkrA =YEz6 -----END PGP SIGNATURE----- --=_cgGFZjL3kRlnMRU_RSdQ5A1--