Why does FreeBSD insist on https?
Dieter BSD
dieterbsd at gmail.com
Fri Apr 3 17:59:32 UTC 2015
> Why do so many FreeBSD URLs redirect from http to https?
> What is this intended to accomplish?
>
> This is user-hostile. Some browsers cannot do https, and there are
> good reasons (unrelated to http vs https) to use these browsers.
> There are also good reasons to prefer http over https even with a browser
> that can do https. Https is useful when needed, but it isn't needed here.
>
> Can someone *please* fix this?
Maxim replies:
https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack\
-browsers-in-github-attack
I complain about unnecessary https so of course you offer a https link.
Very useful. Thank you.
>From what I've read about that attack there are better ways to prevent it
than using https. (I'll leave that as a exercise for the reader.)
Charles replies:
> Security? Confidentiality?
For information that is openly published?
> Strong(er) assurance of content integrity?
Maybe slightly. But it should be the user's choice.
> There are an increasing # of transparent proxies which rewrite
> content, inject ads, even inject malware for HTTP which are foiled
> by switching to HTTPS + HSTS (HTTP Strict Transport Security).
Perhaps. For the moment. How long until the bad guys find a way to
get around the https/hsts speed bump? Probably not very long, if they
haven't already. Word is that some people *have* already found ways
around the speed bump.
> Any browser which does not support HTTPS is either obsolete or simply
> missing critical functionality.
Ya, ya, kids today consider anything more than 5ns old obsolete.
Doesn't make it so.
I have tried a LOT of browsers and they ALL lack important functionality.
Most were so broken they were completely unusable. I've fixed bug
in browsers and made enhancements to them. Had to fix well over
1000 bugs in one browser before I managed to get it to compile.
> Your bank, online stores, utilities,
> almost any site with a login are all going to require HTTPS.
There are plenty of sites with logins that do not require https.
Again, this is information that is openly published. In many,
possibly all, cases the URLs used to work properly with http.
Terje replies:
> If it's causing you any actual trouble
It is. Original message is quoted above, read it again, and don't
assume I'm looking for an argument, or abuse.
I'm not suggesting that the ability to do https be taken away. Those
who want https can type https. I'm only saying that the website should
honor http for those who prefer or need it.
More information about the freebsd-questions
mailing list