[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

Op maandag 21 juli 2014 17:39:44 schreef Paul Wise:
> On Mon, Jul 21, 2014 at 5:22 PM, Wouter Verhelst wrote:
> > Yes it does.
> 
> No...
> 
> > I just tried chromium and iceweasel on this laptop (running sid, a few
> > days out of date). Both will turn "http://www.debian.org"; into
> > "https://www.debian.org"; due to HSTS. This works whether I enter the
> > "http://"; prefix or not.
> 
> http://www.debian.org/ does not deliver the HSTS header so it
> definitely isn't HSTS causing this upgrade to https.

Oh, I see the misunderstanding now.

What I meant is, if you access people.debian.org over HTTPS even once.

If you clear your cache (or do the "forget this site" thing in browsing
history) and then explicitly enter the HTTP URL, then you asked for HTTP
and it shouldn't be changed behind your back -- that would be a feature,
not a bug.

If you don't clear your cache after accessing people.debian.org through
https, then HSTS will turn http into https until the HSTS max-age time
has passed.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: