[Rack] Noisebridge Domain Question

Andy Isaacson adi at hexapodia.org
Thu Dec 6 18:19:54 UTC 2012


On Thu, Dec 06, 2012 at 12:54:29AM -0800, James Sundquist wrote:
> On 12/5/2012 11:02 AM, Rubin Abdi wrote:
> >It would be great if (*.)noisebridgenet.org and .com at just port 80
> >would do an http redirect over to noisebridge.net:443, ignoring anything
> >coming into port 443. If I was asked to make a guess I would say that
> >the majority of hits to those two TLDs would be for port 80 and not 443.
> >If someone's hitting 443 they're simply sorely misinformed and are most
> >likely educated enough to try knocking on 80 next.
>
> For me, access through https is far less important than the website
> simply connecting to somewhere other than an error message.  Getting
> Port 80 working sounds like a reasonable place to start.

noisebridge.net is secure by default; we only provide service over HTTPS
due to Strict Transport Security headers and the Chrome STS list.  As a
result if someone types "noisebridge.net" in the URL bar they're
protected over HTTPS even if they didn't ask for it.

If we provide a HTTP-only redirect at noisebridge.com then a MITM can
intercept there.

This isn't a complete dealbreaker, but it is unfortunate.

-andy


More information about the Rack mailing list