TeX Live future access in danger

Zdenek Wagner zdenek.wagner at gmail.com
Sat Apr 13 10:06:03 CEST 2019 

so 13. 4. 2019 v 9:42 odesílatel Markus Kohm <markus.kohm at gmx.de> napsal:
>
> Am Samstag, 13. April 2019, 03:34:17 CEST schrieb George N. White III:
> > Existing links in documents on the server will still have HTTP URL's, so
> > in practice, CTAN sites have to provide HTTP for the foreseeable
> > future.
>
> This is usually solved by redirecting. E.g., if you try http://
> www.komascript.de/node/1801 you will be redirected to https://komascript.de/
> node/1801 automatically:
>
> Resolving www.komascript.de (www.komascript.de)... 2a01:238:43fc:
> 2300:6350:9cb2:8bae:dfe6, 85.214.222.242
> Connecting to www.komascript.de (www.komascript.de)|2a01:238:43fc:
> 2300:6350:9cb2:8bae:dfe6|:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://komascript.de/node/1801 [following]
> --2019-04-13 09:37:28--  https://komascript.de/node/1801
> Resolving komascript.de (komascript.de)... 2a01:238:43fc:
> 2300:6350:9cb2:8bae:dfe6, 85.214.222.242
> Connecting to komascript.de (komascript.de)|2a01:238:43fc:
> 2300:6350:9cb2:8bae:dfe6|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [text/html]
> Saving to: '1801.'
>
This is not so simple. If a page is loaded via https and the page
contains a lik with http, then, if I understand it well, the browser
will refuse to load it. Hence redirection will not be tried. Thus if
you have a page served via https and you want to present a link to a
resource available via http only, there will be a problem.

If a server supports both http and https and https is prefered, then
in addition to redirection the browser should be informed not to try
http the next time. I ave such a server where the whole contents is
available via https only and http contains only redirections with the
following header (set in the Apache config file):

Header always set Strict-Transport-Security "max-age=63072000;
includeSubdomains"

If a user types the URL manually, he/she need not type the protocol,
at the first time http will be used and the browser will be
redirected, the redirection will be stored in the browser. The next
time the browser will find the stored information and use https
immediately.

> This shouldn't be a problem in the webserver configuration. The only problem
> are clients that do not support https. They cannot reach the site and this is
> intended.
>
Yes, but if the refering site is loaded via https only, such clients
will not have problems with links requiring https. They will fail
earlier. It is always a bad practice to mix http and https, hence if
both should be supported, then protocol neutral links as suggested by
Phil will do the trick.

> Markus

More information about the tex-live mailing list