--- Begin Message ---
Subject: |
Re: [bug-diffutils] bug#56468: www.gnu.org doesn't change http: to https: |
Date: |
Sat, 9 Jul 2022 14:03:58 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 |
On 7/9/22 12:03, Jerry Peek wrote:
I just clicked on an old link to
http://www.gnu.org/software/diffutils/manual/. Then the web browser
showed the address http://www.gnu.org/software/diffutils/manual/ and
marked it "insecure". So I tried
https://www.gnu.org/software/diffutils/manual/ (with an s) and the
browser showed that address.
I'm writing to suggest that you might add a redirect from
http://www.gnu.org/software/diffutils/manual/ to
https://www.gnu.org/software/diffutils/manual/ so that no one will get
the "insecure" page.
Thanks for reporting this <https://bugs.gnu.org/56468>. The problem
seems to be that when contacted via the HTTP protocol, www.gnu.org
responds like the following, even though this doesn't make sense:
$ curl --head http://www.gnu.org
HTTP/1.1 200 OK
Date: Sat, 09 Jul 2022 18:55:16 GMT
Server: Apache/2.4.29
Content-Location: home.html
Vary: negotiate,accept-language,Accept-Encoding
TCN: choice
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: (null)
Accept-Ranges: bytes
Cache-Control: max-age=0
Expires: Sat, 09 Jul 2022 18:55:16 GMT
Content-Type: text/html
Content-Language: en
The problem with this response is that HTTP clients are supposed to
ignore the Strict-Transport-Security: header. That header makes sense
only in an HTTPS response. www.gnu.org should respond like this:
$ curl --head http://www.github.com
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://www.github.com/
I'm forwarding this to webmasters@gnu.org, who are people who can fix
this, and am closing this diffutils bug report <https://bugs.gnu.org/56468>.
--- End Message ---