Nobody is unsubscribed

Mark Reynolds beastie@REDACTED
Mon Nov 4 21:00:12 CET 2019 

Using HSTS without a http to https redirection is against the RFC (6797):

>If an HSTS Host receives an HTTP request message over a non-secure transport, it SHOULD send an HTTP response message containing a status code indicating a permanent redirect, such as status code 301

Also, it's a requirement for inculsion into the HSTS preload list:

>    In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:
[…]
>    2- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

On Mon, Nov 4, 2019, at 17:30, Loïc Hoguin wrote:
> On 04/11/2019 13:44, Raimo Niskanen wrote:
> > On Mon, Nov 04, 2019 at 11:53:16AM +0100, Loïc Hoguin wrote:
> >> For erlang.org itself there's two problems currently: no automatic
> >> redirection from http to https;
> > 
> > That seems to be the industry standard now, but I would like content to be
> > accessible without having to use https.
> 
> Redirection is generally not great because you get redirected every time 
> you go through via http. There's HSTS that gets us one step further by 
> telling browsers to remember they have to use HTTPS instead of HTTP, so 
> the initial HTTP call isn't made.
> 
> > The redirect for http://erlang.org and https://erlang.org goes to
> > $scheme://www.erlang.org, which redirects to https://www.erlang.org.
> > 
> > Unfortunately the redirects back from e.g https://www.erlang.org/doc
> > changes to http://erlang.org/doc because https for erlang.org did not work
> > until 10 minutes ago.
> 
> And redirection tends to lead to this issues.
> 
> > Would it be sufficient to make those redirects from www.erlang.org to
> > erlang.org not change from https to http?
> 
> You definitely shouldn't downgrade if possible. I am wondering however 
> if you want to leave *browsers* able to access the site via plain HTTP, 
> or clients in general (including things like curl for example). A policy 
> like HSTS is only used by clients that understand it (so mostly 
> browsers) so maybe this is what you want to setup. Browsers would always 
> go through HTTPS; other clients would be able to use both HTTP and HTTPS.
> 
> Cheers,
> 
> > That, and the answer 20 lines down...?
> > 
> >>
> >> And this:
> >>
> >> Your connection is not private
> >> This server could not prove that it is erlang.org; its security
> >> certificate is from www2.erlang.org. This may be caused by a
> >> misconfiguration or an attacker intercepting your connection.
> >>
> >> NET::ERR_CERT_COMMON_NAME_INVALID
> >> Subject: www2.erlang.org
> >>
> >> Issuer: DigiCert SHA2 Secure Server CA
> >>
> >> Expires on: Oct 22, 2021
> >>
> >> Current date: Nov 4, 2019
> > 
> > A new certificate is in place, so this should be fixed.
> > 
> > / Raimo
> > 
> > 
> >>
> >> Keep up the good work.
> >>
> >> On 04/11/2019 11:34, Raimo Niskanen wrote:
> >>> On Mon, Nov 04, 2019 at 10:47:03AM +0100, Adam Lindberg wrote:
> >>>> Speaking of servers and domains, when is HTTPS coming to erlang.org and it’s sub-domains?
> >>>
> >>> HTTPS has been active for www.erlang.org and bugs.erlang.org for years.
> >>> The recent web server upgrade enabled it for erlang.org as well;
> >>> we are working on it...
> >>>
> >>> Best regards
> >>> / Raimo
> >>>
> >>>
> >>>>
> >>>> Cheers,
> >>>> Adam
> >>>>
> >>>>> On 2. Nov 2019, at 09:14, Raimo Niskanen <ratmapper@REDACTED> wrote:
> >>>>>
> >>>>> Yes it does. It applies to all mailing lists.
> >>>>>
> >>>>> Ericsson has got its eyes on mailing lists at erlang.org since it owns the domain.
> >>>>>
> >>>>> Best regards
> >>>>> / Raimo Niskanen
> >>>>>
> >>>>> Den lör 2 nov. 2019 02:47Richard O'Keefe <raoknz@REDACTED> skrev:
> >>>>> Does this apply to the EEPS list as well?
> >>>>>
> >>>>> On Sat, 2 Nov 2019 at 04:25, Joe Harrison <joe@REDACTED> wrote:
> >>>>>>
> >>>>>> Thanks for doing all of this, regardless.
> >>>>>>
> >>>>>> There's no perfect way to do mailing lists in a DMARC/DKIM/SPF compliant
> >>>>>> way that doesn't break some client's "From:" field, subject line, or
> >>>>>> "Reply:" button in some way, but this seems like the least bad option.
> >>>>>>
> >>>>>> I hope my emails make it through to the list now ^_^
> >>>>>>
> >>>>>> OT: Be careful of organisations' web contact forms which ask for your
> >>>>>> email address. Sometimes their web servers generate an email from the
> >>>>>> form using your email address as the "From:" address, which will break a
> >>>>>> lot of DKIM/DMARC/SPF stuff.
> >>>>>> I know of at least one local authority (council) website in the UK which
> >>>>>> is guilty of this.
> >>>>>>
> >>>>>> - Joe
> >>>>>>
> >>>>>> On 26/10/2019 07:57, Raimo Niskanen wrote:
> >>>>>>> It is mainly "the big ones" that have been affected by stricter DMARC
> >>>>>>> policies.
> >>>>>>>
> >>>>>>> When a subscriber sending from e.g Yahoo gets received by Gmail then
> >>>>>>> Gmail rejects that message since Yahoo's DMARC policy says so (also vice
> >>>>>>> versa). So the list gets a bounce and eventually blocks the Gmail
> >>>>>>> subscriber, if enough in a row happens to send with strict DMARC policies.
> >>>>>>>
> >>>>>>> So for some it has worked, some gets an annoying list probe every now
> >>>>>>> and then, some do not get many posts, but the final nail in the coffin
> >>>>>>> was Ericsson (Erlang/OTP's home corporation) that tightened its DMARC
> >>>>>>> policy and at the same time told us to get our act together and stop
> >>>>>>> sending "unhygienic e-mail".
> >>>>>>>
> >>>>>>> All the best
> >>>>>>> / Raimo
> >>>>>>>
> >>>>>>>
> >>>>>>> Den fre 25 okt. 2019 16:58Chris Rempel <csrl@REDACTED
> >>>>>>> <mailto:csrl@REDACTED>> skrev:
> >>>>>>>
> >>>>>>>       Not having the subject contain [erlang-questions] or some other
> >>>>>>>       obvious indicator is quite unfortunate.  I guess many people were
> >>>>>>>       affected by not being DMARC compliant?  It seems to have been
> >>>>>>>       working just fine for quite some time... ie it "works for me" as it was.
> >>>>>>>
> >>>>>>>       That said, thanks for maintaining the list, and keeping it going.
> >>>>>>>       It is a most useful resource.
> >>>>>>>
> >>>>>>>       Chris
> >>>>>>>
> >>>>>>>       *Sent:* Friday, October 25, 2019 at 7:38 AM
> >>>>>>>       *From:* "Raimo Niskanen" <ratmapper@REDACTED
> >>>>>>>       <mailto:ratmapper@REDACTED>>
> >>>>>>>       *To:* erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
> >>>>>>>       *Subject:* Re: Nobody is unsubscribed
> >>>>>>>       To achieve DMARC compliance we have stopped changing the Subject:
> >>>>>>>       field and no longer add the mailing list footer to the messages.
> >>>>>>>
> >>>>>>>       This is because From: Subject: and mail body among other fields are
> >>>>>>>       often DKIM signed, so if we should change them we would not pass DKIM
> >>>>>>>       signature check and thereby not be DMARC compliant.
> >>>>>>>
> >>>>>>>       Sorry for the inconvenience, we do not make the rules...
> >>>>>>>       / Raimo Niskanen
> >>>>>>>
> >>>>>>>       On Fri, Oct 25, 2019 at 3:23 PM Raimo Niskanen <ratmapper@REDACTED
> >>>>>>>       <mailto:ratmapper@REDACTED>> wrote:
> >>>>>>>       >
> >>>>>>>       > The reason we changed mailing list servers was to get better DMARC and
> >>>>>>>       > DKIM compliance. This is a test post for us to inspect its headers...
> >>>>>>>       > --
> >>>>>>>       > Raimo Niskanen
> >>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> >> -- 
> >> Loïc Hoguin
> >> https://ninenines.eu
> > 
> 
> -- 
> Loïc Hoguin
> https://ninenines.eu
>

More information about the erlang-questions mailing list