Redirecting hackage.haskell.org to HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Redirecting hackage.haskell.org to HTTPS

Tikhon Jelvis
Pages on hackage.haskell.org are currently served over both HTTP and HTTPS. Package security on Hackage does not depend on HTTPS, so we keep HTTP endpoints for backwards compatibility with automated systems that depend on Hackage and do not support HTTPS.

However, this means that it's possible for users to inadvertently browse Hackage pages on HTTP which is not a great user experience. To address this issue without breaking existing scripts, we are planning to redirect requests to HTTPS based on User-Agent headers: requests with "Mozilla/5.0" in their User-Agent string will be redirected to HTTPS and other requests will remain unchanged.

Please contact us at [hidden email] if this change will cause problems with how you use Hackage. Otherwise, the new behavior will go into effect on 2020-11-23.

Thanks!
-Tikhon Jelvis, on behalf of the Haskell.org Committee

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: Redirecting hackage.haskell.org to HTTPS

Branimir Maksimovic

So I change user agent signature ;)

Greets, Branimir.

On 11/15/20 6:42 AM, Tikhon Jelvis wrote:
Pages on hackage.haskell.org are currently served over both HTTP and HTTPS. Package security on Hackage does not depend on HTTPS, so we keep HTTP endpoints for backwards compatibility with automated systems that depend on Hackage and do not support HTTPS.

However, this means that it's possible for users to inadvertently browse Hackage pages on HTTP which is not a great user experience. To address this issue without breaking existing scripts, we are planning to redirect requests to HTTPS based on User-Agent headers: requests with "Mozilla/5.0" in their User-Agent string will be redirected to HTTPS and other requests will remain unchanged.

Please contact us at [hidden email] if this change will cause problems with how you use Hackage. Otherwise, the new behavior will go into effect on 2020-11-23.

Thanks!
-Tikhon Jelvis, on behalf of the Haskell.org Committee

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: Redirecting hackage.haskell.org to HTTPS

Bob Ippolito
In reply to this post by Tikhon Jelvis
In addition to the redirect, and for the same reasons, enabling HSTS [1] and submitting it to the HSTS preload list for browsers [2] may also make sense. I don't think it should have any effect on agents that are visiting the HTTP version of the site unless the agent somehow simultaneously supports HSTS, has the preload list or has previously visited the site on HTTPS, and can't cope a client-side URL rewrite from HTTP to HTTPS.

-bob

On Sat, Nov 14, 2020 at 9:43 PM Tikhon Jelvis <[hidden email]> wrote:
Pages on hackage.haskell.org are currently served over both HTTP and HTTPS. Package security on Hackage does not depend on HTTPS, so we keep HTTP endpoints for backwards compatibility with automated systems that depend on Hackage and do not support HTTPS.

However, this means that it's possible for users to inadvertently browse Hackage pages on HTTP which is not a great user experience. To address this issue without breaking existing scripts, we are planning to redirect requests to HTTPS based on User-Agent headers: requests with "Mozilla/5.0" in their User-Agent string will be redirected to HTTPS and other requests will remain unchanged.

Please contact us at [hidden email] if this change will cause problems with how you use Hackage. Otherwise, the new behavior will go into effect on 2020-11-23.

Thanks!
-Tikhon Jelvis, on behalf of the Haskell.org Committee
_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.