[Rack] Noisebridge Domain Question
Jonathan Lassoff
jof at thejof.com
Thu Dec 6 18:46:53 UTC 2012
On Thu, Dec 6, 2012 at 10:38 AM, Danny O'Brien <danny at spesh.com> wrote:
> On Thu, Dec 6, 2012 at 10:19 AM, Andy Isaacson <adi at hexapodia.org> wrote:
> > On Thu, Dec 06, 2012 at 12:54:29AM -0800, James Sundquist wrote:
> >> On 12/5/2012 11:02 AM, Rubin Abdi wrote:
> >> >It would be great if (*.)noisebridgenet.org and .com at just port 80
> >> >would do an http redirect over to noisebridge.net:443, ignoring
> anything
> >> >coming into port 443. If I was asked to make a guess I would say that
> >> >the majority of hits to those two TLDs would be for port 80 and not
> 443.
> >> >If someone's hitting 443 they're simply sorely misinformed and are most
> >> >likely educated enough to try knocking on 80 next.
> >>
> >> For me, access through https is far less important than the website
> >> simply connecting to somewhere other than an error message. Getting
> >> Port 80 working sounds like a reasonable place to start.
> >
> > noisebridge.net is secure by default; we only provide service over HTTPS
> > due to Strict Transport Security headers and the Chrome STS list. As a
> > result if someone types "noisebridge.net" in the URL bar they're
> > protected over HTTPS even if they didn't ask for it.
> >
> > If we provide a HTTP-only redirect at noisebridge.com then a MITM can
> > intercept there.
> >
> > This isn't a complete dealbreaker, but it is unfortunate.
> >
>
> We're kind of a poster child for doing https right, with our
> certificate pinned in Chrome, and no http redirects. I'm open to
> arguments as to why we should break that for resolving
> noisebridge.com, but honestly, I don't really see why resolving
> noisebridge.com is important yet. noisebridge.net is the address, and
> going to noisebridge.com does what going to the wrong web site
> normally does.
>
If this is a worthy goal, and something we'd like to stick with (I think
so), then there is no reason to add the redirects.
They'd only be useful for users that don't know our domain and we'd just
like to opportunistically redirect.
I don't see any great harm in redirecting them to the correct domain,
though it's totally a point at which someone could be MITMing and
redirecting to nosebridge.net. :p
I see two types of users and use cases here though:
- Average web user just wants access to the Noisebridge site. Doesn't care
about TLS security.
- Hacker cares about crafting the most secure connections and verifying
data integrity. Just because.
I think we could appease both groups by running the redirectors
.
If you're in camp #1, noisebridge.{popular TLD} works, and if you're in
camp #2, then the user probably cares enough to enter the right domain.
It's not like we're not already redirecting on noisebridge.net, TCP/80
anyway. Though Chromium users will probably go TLS first with the STS
pinning.
--j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20121206/ccbf7934/attachment.html>
More information about the Rack
mailing list