Re: [Repo-criteria-discuss] HSTS screw?

repo-criteria-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Repo-criteria-discuss] HSTS screw?

From:	Mike Gerwitz
Subject:	Re: [Repo-criteria-discuss] HSTS screw?
Date:	Mon, 10 Oct 2016 22:26:59 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

On Mon, Oct 10, 2016 at 21:44:19 -0400, Richard Stallman wrote:
> But now the browser forces https when I connect to Wikipedia.  (Is
> this HSTS at work?)

It's twofold: all HTTP requests are first redirected to HTTPS by their
webserver.  Subsequently, all HTTPS requests contain the HSTS header, so
your browser won't bother trying to hit HTTP at all again after that.

> That typically fails totally because the portal does not handle https
> at all.
>
> Do you have a solution for this?

As in: you want to downgrade the connection to HTTP?  If so, then no,
that's not possible with their configuration unless you use some proxy
that will do the stripping for you.  Offering plain HTTP would thwart
what they're trying to do.

It doesn't matter what browser you use---all will be forced to use
HTTPS.  wget will be forced to; the webserver will simply tell it to
redirect.  If a client doesn't support HTTPS, then it will fail.

Do these portals allow you to only visit the site that you requested?
Do they let you put in any site you want?

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Repo-criteria-discuss] Savannah and HTTPS, (continued)

Prev by Date: Re: [Repo-criteria-discuss] Savannah and HTTPS
Next by Date: Re: [Repo-criteria-discuss] HSTS screw?
Previous by thread: [Repo-criteria-discuss] HSTS screw?
Next by thread: Re: [Repo-criteria-discuss] HSTS screw?
Index(es):
- Date
- Thread