Nobody is unsubscribed

Loïc Hoguin essen@REDACTED
Mon Nov 4 22:15:53 CET 2019


Yes it's a requirement for the preload list, but it's not required in 
the RFC, it's just a SHOULD[1]. So erlang.org can definitely be setup 
like I mentioned. Not perfect but could be the most appropriate solution 
considering Raimo wants content to be available via plain HTTP.

[1]SHOULD   This word, or the adjective "RECOMMENDED", mean that there
    may exist valid reasons in particular circumstances to ignore a
    particular item, but the full implications must be understood and
    carefully weighed before choosing a different course.

On 04/11/2019 21:00, Mark Reynolds wrote:
> Using HSTS without a http to https redirection is against the RFC (6797):
> 
>> If an HSTS Host receives an HTTP request message over a non-secure transport, it SHOULD send an HTTP response message containing a status code indicating a permanent redirect, such as status code 301
> 
> Also, it's a requirement for inculsion into the HSTS preload list:
> 
>>     In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:
> […]
>>     2- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
> 
> On Mon, Nov 4, 2019, at 17:30, Loïc Hoguin wrote:
>> On 04/11/2019 13:44, Raimo Niskanen wrote:
>>> On Mon, Nov 04, 2019 at 11:53:16AM +0100, Loïc Hoguin wrote:
>>>> For erlang.org itself there's two problems currently: no automatic
>>>> redirection from http to https;
>>>
>>> That seems to be the industry standard now, but I would like content to be
>>> accessible without having to use https.
>>
>> Redirection is generally not great because you get redirected every time
>> you go through via http. There's HSTS that gets us one step further by
>> telling browsers to remember they have to use HTTPS instead of HTTP, so
>> the initial HTTP call isn't made.
>>
>>> The redirect for http://erlang.org and https://erlang.org goes to
>>> $scheme://www.erlang.org, which redirects to https://www.erlang.org.
>>>
>>> Unfortunately the redirects back from e.g https://www.erlang.org/doc
>>> changes to http://erlang.org/doc because https for erlang.org did not work
>>> until 10 minutes ago.
>>
>> And redirection tends to lead to this issues.
>>
>>> Would it be sufficient to make those redirects from www.erlang.org to
>>> erlang.org not change from https to http?
>>
>> You definitely shouldn't downgrade if possible. I am wondering however
>> if you want to leave *browsers* able to access the site via plain HTTP,
>> or clients in general (including things like curl for example). A policy
>> like HSTS is only used by clients that understand it (so mostly
>> browsers) so maybe this is what you want to setup. Browsers would always
>> go through HTTPS; other clients would be able to use both HTTP and HTTPS.
>>
>> Cheers,
>>
>>> That, and the answer 20 lines down...?
>>>
>>>>
>>>> And this:
>>>>
>>>> Your connection is not private
>>>> This server could not prove that it is erlang.org; its security
>>>> certificate is from www2.erlang.org. This may be caused by a
>>>> misconfiguration or an attacker intercepting your connection.
>>>>
>>>> NET::ERR_CERT_COMMON_NAME_INVALID
>>>> Subject: www2.erlang.org
>>>>
>>>> Issuer: DigiCert SHA2 Secure Server CA
>>>>
>>>> Expires on: Oct 22, 2021
>>>>
>>>> Current date: Nov 4, 2019
>>>
>>> A new certificate is in place, so this should be fixed.
>>>
>>> / Raimo
>>>
>>>
>>>>
>>>> Keep up the good work.
>>>>
>>>> On 04/11/2019 11:34, Raimo Niskanen wrote:
>>>>> On Mon, Nov 04, 2019 at 10:47:03AM +0100, Adam Lindberg wrote:
>>>>>> Speaking of servers and domains, when is HTTPS coming to erlang.org and it’s sub-domains?
>>>>>
>>>>> HTTPS has been active for www.erlang.org and bugs.erlang.org for years.
>>>>> The recent web server upgrade enabled it for erlang.org as well;
>>>>> we are working on it...
>>>>>
>>>>> Best regards
>>>>> / Raimo
>>>>>
>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>> Adam
>>>>>>
>>>>>>> On 2. Nov 2019, at 09:14, Raimo Niskanen <ratmapper@REDACTED> wrote:
>>>>>>>
>>>>>>> Yes it does. It applies to all mailing lists.
>>>>>>>
>>>>>>> Ericsson has got its eyes on mailing lists at erlang.org since it owns the domain.
>>>>>>>
>>>>>>> Best regards
>>>>>>> / Raimo Niskanen
>>>>>>>
>>>>>>> Den lör 2 nov. 2019 02:47Richard O'Keefe <raoknz@REDACTED> skrev:
>>>>>>> Does this apply to the EEPS list as well?
>>>>>>>
>>>>>>> On Sat, 2 Nov 2019 at 04:25, Joe Harrison <joe@REDACTED> wrote:
>>>>>>>>
>>>>>>>> Thanks for doing all of this, regardless.
>>>>>>>>
>>>>>>>> There's no perfect way to do mailing lists in a DMARC/DKIM/SPF compliant
>>>>>>>> way that doesn't break some client's "From:" field, subject line, or
>>>>>>>> "Reply:" button in some way, but this seems like the least bad option.
>>>>>>>>
>>>>>>>> I hope my emails make it through to the list now ^_^
>>>>>>>>
>>>>>>>> OT: Be careful of organisations' web contact forms which ask for your
>>>>>>>> email address. Sometimes their web servers generate an email from the
>>>>>>>> form using your email address as the "From:" address, which will break a
>>>>>>>> lot of DKIM/DMARC/SPF stuff.
>>>>>>>> I know of at least one local authority (council) website in the UK which
>>>>>>>> is guilty of this.
>>>>>>>>
>>>>>>>> - Joe
>>>>>>>>
>>>>>>>> On 26/10/2019 07:57, Raimo Niskanen wrote:
>>>>>>>>> It is mainly "the big ones" that have been affected by stricter DMARC
>>>>>>>>> policies.
>>>>>>>>>
>>>>>>>>> When a subscriber sending from e.g Yahoo gets received by Gmail then
>>>>>>>>> Gmail rejects that message since Yahoo's DMARC policy says so (also vice
>>>>>>>>> versa). So the list gets a bounce and eventually blocks the Gmail
>>>>>>>>> subscriber, if enough in a row happens to send with strict DMARC policies.
>>>>>>>>>
>>>>>>>>> So for some it has worked, some gets an annoying list probe every now
>>>>>>>>> and then, some do not get many posts, but the final nail in the coffin
>>>>>>>>> was Ericsson (Erlang/OTP's home corporation) that tightened its DMARC
>>>>>>>>> policy and at the same time told us to get our act together and stop
>>>>>>>>> sending "unhygienic e-mail".
>>>>>>>>>
>>>>>>>>> All the best
>>>>>>>>> / Raimo
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Den fre 25 okt. 2019 16:58Chris Rempel <csrl@REDACTED
>>>>>>>>> <mailto:csrl@REDACTED>> skrev:
>>>>>>>>>
>>>>>>>>>        Not having the subject contain [erlang-questions] or some other
>>>>>>>>>        obvious indicator is quite unfortunate.  I guess many people were
>>>>>>>>>        affected by not being DMARC compliant?  It seems to have been
>>>>>>>>>        working just fine for quite some time... ie it "works for me" as it was.
>>>>>>>>>
>>>>>>>>>        That said, thanks for maintaining the list, and keeping it going.
>>>>>>>>>        It is a most useful resource.
>>>>>>>>>
>>>>>>>>>        Chris
>>>>>>>>>
>>>>>>>>>        *Sent:* Friday, October 25, 2019 at 7:38 AM
>>>>>>>>>        *From:* "Raimo Niskanen" <ratmapper@REDACTED
>>>>>>>>>        <mailto:ratmapper@REDACTED>>
>>>>>>>>>        *To:* erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
>>>>>>>>>        *Subject:* Re: Nobody is unsubscribed
>>>>>>>>>        To achieve DMARC compliance we have stopped changing the Subject:
>>>>>>>>>        field and no longer add the mailing list footer to the messages.
>>>>>>>>>
>>>>>>>>>        This is because From: Subject: and mail body among other fields are
>>>>>>>>>        often DKIM signed, so if we should change them we would not pass DKIM
>>>>>>>>>        signature check and thereby not be DMARC compliant.
>>>>>>>>>
>>>>>>>>>        Sorry for the inconvenience, we do not make the rules...
>>>>>>>>>        / Raimo Niskanen
>>>>>>>>>
>>>>>>>>>        On Fri, Oct 25, 2019 at 3:23 PM Raimo Niskanen <ratmapper@REDACTED
>>>>>>>>>        <mailto:ratmapper@REDACTED>> wrote:
>>>>>>>>>        >
>>>>>>>>>        > The reason we changed mailing list servers was to get better DMARC and
>>>>>>>>>        > DKIM compliance. This is a test post for us to inspect its headers...
>>>>>>>>>        > --
>>>>>>>>>        > Raimo Niskanen
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Loïc Hoguin
>>>> https://ninenines.eu
>>>
>>
>> -- 
>> Loïc Hoguin
>> https://ninenines.eu
>>

-- 
Loïc Hoguin
https://ninenines.eu



More information about the erlang-questions mailing list