[Rack] Noisebridge Domain Question

Danny O'Brien danny at spesh.com
Thu Dec 6 18:38:03 UTC 2012


On Thu, Dec 6, 2012 at 10:19 AM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Thu, Dec 06, 2012 at 12:54:29AM -0800, James Sundquist wrote:
>> On 12/5/2012 11:02 AM, Rubin Abdi wrote:
>> >It would be great if (*.)noisebridgenet.org and .com at just port 80
>> >would do an http redirect over to noisebridge.net:443, ignoring anything
>> >coming into port 443. If I was asked to make a guess I would say that
>> >the majority of hits to those two TLDs would be for port 80 and not 443.
>> >If someone's hitting 443 they're simply sorely misinformed and are most
>> >likely educated enough to try knocking on 80 next.
>>
>> For me, access through https is far less important than the website
>> simply connecting to somewhere other than an error message.  Getting
>> Port 80 working sounds like a reasonable place to start.
>
> noisebridge.net is secure by default; we only provide service over HTTPS
> due to Strict Transport Security headers and the Chrome STS list.  As a
> result if someone types "noisebridge.net" in the URL bar they're
> protected over HTTPS even if they didn't ask for it.
>
> If we provide a HTTP-only redirect at noisebridge.com then a MITM can
> intercept there.
>
> This isn't a complete dealbreaker, but it is unfortunate.
>

We're kind of a poster child for doing https right, with our
certificate pinned in Chrome, and no http redirects. I'm open to
arguments as to why we should break that for resolving
noisebridge.com, but honestly, I don't really see why resolving
noisebridge.com is important yet. noisebridge.net is the address, and
going to noisebridge.com does what going to the wrong web site
normally does.

d.

> -andy
> _______________________________________________
> Rack mailing list
> Rack at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/rack
>



More information about the Rack mailing list