undefined | Better HN

0 pointsReactiveJelly4y ago0 comments

Maybe it's a buggy HTTPS redirect in GP's browser? Due to HSTS or something?

The HTTP version of your URL works fine. The HTTPS version has an expired cert. If I click past that, it redirects to redis.io, then gives a 404.

I know antirez is a smart guy, but if this is some kind of "I'm taking a bold stance against HTTPS" then I'd rather read the archive.org link with functioning HTTPS. My threat model prefers trusting archive.org to correctly reproduce the blog, over trusting everyone between me and antirez.com.

0 comments

codethief4y ago

Wow, you just opened my eyes – I really thought he had deleted his blog! Must be the HTTPS Everywhere extension I'm using – though I really don't understand why it redirects me to redis.io just because antirez's TLS certificate is for redis.io, not antirez.com. I would really prefer a clear error message here.

cpach4y ago

The web server(s) at antirez.com are weirdly configured. So it’s not so easy for the web browser to display a very clear error message in this case.

If you run this command you can see a little more clearly what’s going on:

  wget --no-check-certificate -S -O - https://antirez.com/news/124

If you use the plain HTTP URL, everything works fine.

If you try https://antirez.com/news/124 the web server at antirez.com:443 will answer this:

  HTTP/1.1 301 Moved Permanently
  Server: nginx/1.10.2
  Date: Sat, 04 Sep 2021 18:15:46 GMT
  Content-Type: text/html
  Content-Length: 185
  Connection: keep-alive
  Location: https://redis.io/news/124

So it’s not HTTPS Everywhere that redirects, it’s the web server itself.

However, many clients won’t heed this response, since antirez.com:443 serves a certificate that’s not valid for that hostname.

cratermoon4y ago

Looks like the cert is for a different domain (redis.io) AND it expired August 7, 2020.

kyleee4y ago

Let's hear more about your threat model that causes you to wory about nefarious content being injected into a blog post about comments in code

Gh0stRAT4y ago

Not OP, but residential ISPs were caught injecting ads into HTTP sites at least as early as 2014. [0]

I certainly wouldn't trust Comcast to keep malicious ads out of their ad network, either.

[0] https://www.techdirt.com/articles/20140908/07191228453/comca...

sinsterizme4y ago

How about not opening the gates for third parties to inject ads, trackers and crypto miners

cpach4y ago

I agree that in this case (reading an article) HTTP is not a huge threat. But in 2021 I consider HTTPS + HSTS to be a basic hygiene factor.

brazzledazzle4y ago

A bit snarky but I agree, it doesn’t seem like a huge threat. I’d love to be proven wrong though.

j / k navigate · click thread line to collapse

0 comments

codethief4y ago

cpach4y ago

The web server(s) at antirez.com are weirdly configured. So it’s not so easy for the web browser to display a very clear error message in this case.

If you run this command you can see a little more clearly what’s going on:

  wget --no-check-certificate -S -O - https://antirez.com/news/124

If you use the plain HTTP URL, everything works fine.

If you try https://antirez.com/news/124 the web server at antirez.com:443 will answer this:

  HTTP/1.1 301 Moved Permanently
  Server: nginx/1.10.2
  Date: Sat, 04 Sep 2021 18:15:46 GMT
  Content-Type: text/html
  Content-Length: 185
  Connection: keep-alive
  Location: https://redis.io/news/124

So it’s not HTTPS Everywhere that redirects, it’s the web server itself.

However, many clients won’t heed this response, since antirez.com:443 serves a certificate that’s not valid for that hostname.

cratermoon4y ago

Looks like the cert is for a different domain (redis.io) AND it expired August 7, 2020.

kyleee4y ago

Let's hear more about your threat model that causes you to wory about nefarious content being injected into a blog post about comments in code

Gh0stRAT4y ago

Not OP, but residential ISPs were caught injecting ads into HTTP sites at least as early as 2014. [0]

I certainly wouldn't trust Comcast to keep malicious ads out of their ad network, either.

[0] https://www.techdirt.com/articles/20140908/07191228453/comca...

sinsterizme4y ago

How about not opening the gates for third parties to inject ads, trackers and crypto miners

cpach4y ago

I agree that in this case (reading an article) HTTP is not a huge threat. But in 2021 I consider HTTPS + HSTS to be a basic hygiene factor.

brazzledazzle4y ago

A bit snarky but I agree, it doesn’t seem like a huge threat. I’d love to be proven wrong though.

j / k navigate · click thread line to collapse