Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections

To: debian-user@lists.debian.org
Subject: Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Thu, 15 Apr 2021 11:44:21 +0100
Message-id: <[🔎] 99027312-2461-a39d-8cf9-d9b52065df44@darac.org.uk>
In-reply-to: <[🔎] 53560a10-8bf3-40aa-51af-c36c93fe8e7b@gmx.com>
References: <[🔎] 20210414121928.57a87d3464ad0dc4daa82e46@gmail.com> <[🔎] f89b2eb8-a940-31fa-d88f-9ddb431c37e1@gmx.com> <[🔎] 20210414221552.76572edc74e8ecf7618e53af@gmail.com> <[🔎] 53560a10-8bf3-40aa-51af-c36c93fe8e7b@gmx.com>

On 15/04/2021 11:16, piorunz wrote:
> On 15/04/2021 03:15, Celejar wrote:
>
>>> It certainly works fine for me. I use https only mode for many months
>>> now. Can you bring an example of a page which returns good page on
>>> http,
>>> but 404 error on https?
>>
>> http://www.daat.ac.il/
>> https://www.daat.ac.il/
>>
>> Celejar
>
> Their webserver is misconfigured. AFAIR, if they don't support https,
> their server should redirect to http page. Instead, they throw 404 error.

If they don't support https, they shouldn't respond at all. Receiving a
404 comes after successful TLS negotiation. With HTTPS you first
establish a TCP connection to port 443 on the server, then you establish
a TLS tunnel to the server; only once those are complete can you send
the "GET" verb over the tunnel. The server has then, securely, responded
"I don't have a page called /".

While it's common practice for HTTP  and HTTPS sites to be identical,
it's not really built in to the protocol. I could well see a situation
where a webmaster might configure, say, just the /admin part to be
accessible over HTTPS.

That said, common use is changing. It's now expected that 
http://example.com, https://example.com, http://www.example.com and
https://www.example.com all serve identical content (mostly because
humans are terrible at paying attention to the full URL and just see
that all as "example dot com".

>
> Your web browser behaviour is as intended, everything is fine.
> If webadmins of that page don't know their sh*t, are you sure you want
> to use that website? Who knows what else they forgot to implement.
>
> Disclaimer: I never worked in IT, all self taught, but I have webpage
> which I put up myself on Debian computer, with https cert (it's free),
> TLS 2.0/3.0 only, PFS, HSTS preload with long duration, OCSP stapling,
> top spec security. These guys? They can't even redirect to their http
> page.
>
>
> -- 
>
> With kindest regards, piorunz.
>
> ⢀⣴⠾⠻⢶⣦⠀
> ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
> ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
> ⠈⠳⣄⠀⠀⠀⠀
>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
  - From: Jonathan Dowland <jon+debian-user@dow.land>

References:
- Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
  - From: Celejar <celejar@gmail.com>
- Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
  - From: piorunz <piorunz@gmx.com>
- Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
  - From: Celejar <celejar@gmail.com>
- Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
  - From: piorunz <piorunz@gmx.com>

Prev by Date: Re: for the mutt users
Next by Date: Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
Previous by thread: Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
Next by thread: Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections
Index(es):
- Date
- Thread