http: gone

[Harriet Bazley]

All my bookmarked http:// links have stopped working, from
http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

--
Harriet Bazley == Loyaulte me lie ==

Abstinence makes the heart grow fonder.

[Harriet Bazley]

On 2 Mar 2021 as I do recall,

Harriet Bazley wrote:

> All my bookmarked http:// links have stopped working, from
> http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
> I discovered by chance that editing a 's' into them (e.g. 'https://')
> solved the problem. Has the use of a non-encrypted connection to
> download non-sensitive data been prohibited in the last week?
>

Apparently this applies to the URLs preset in applications like Fetch_NS
and the Netsurf homepage, as well....

--
Harriet Bazley == Loyaulte me lie ==

Violence is the last refuge of the incompetent.

[Dave Plowman (News)]

In article <2846f1065...@bazleyfamily.co.uk>,

Harriet Bazley <har...@bazleyfamily.co.uk> wrote:
> All my bookmarked http:// links have stopped working, from
> http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
> I discovered by chance that editing a 's' into them (e.g. 'https://')
> solved the problem. Has the use of a non-encrypted connection to
> download non-sensitive data been prohibited in the last week?

Don't use a RISCOS browser much these days but I think you're right. Went
to a little used URL of a firm I know still exists via my bookmarks and
got the same. Changing to https found it again.

--
*I wished the buck stopped here, as I could use a few*

Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.

[Tim Hill]

In article <5906f70...@davenoise.co.uk>, Dave Plowman (News)

<da...@davenoise.co.uk> wrote:
> In article <2846f1065...@bazleyfamily.co.uk>, Harriet Bazley
> <har...@bazleyfamily.co.uk> wrote:
> > All my bookmarked http:// links have stopped working, from
> > http://www.google.co.uk to http://keapr.com and
> > http://wttr.in/London.png?u I discovered by chance that editing a 's'
> > into them (e.g. 'https://') solved the problem. Has the use of a
> > non-encrypted connection to download non-sensitive data been
> > prohibited in the last week?

> Don't use a RISCOS browser much these days but I think you're right.
> Went to a little used URL of a firm I know still exists via my
> bookmarks and got the same. Changing to https found it again.

But not every http site has an https equivalent. This is a horrendous bug.

It seems like blasphemy to say it but despite what some seem to think,
including Google, some sites don't need a secure connection.

[Chris Hughes]

In message <2846f1065...@bazleyfamily.co.uk>

Harriet Bazley <har...@bazleyfamily.co.uk> wrote:

> All my bookmarked http:// links have stopped working, from
> http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
> I discovered by chance that editing a 's' into them (e.g. 'https://')
> solved the problem. Has the use of a non-encrypted connection to
> download non-sensitive data been prohibited in the last week?

Just tried all your above links with http and they all worked fine in
!NetSurf 3.10

But you will find in general, many sites are now becoming https by
default, its the way the Internet is moving, and in Firefox their is now
an option to warn/block, sites as insecure if they use http only. other
main stream browsers are following this trend.

--
Chris Hughes

[Chris Hughes]

In message <5906f8...@invalid.org.uk>

Tim Hill <t...@invalid.org.uk> wrote:

> In article <5906f70...@davenoise.co.uk>, Dave Plowman (News)
> <da...@davenoise.co.uk> wrote:
>> In article <2846f1065...@bazleyfamily.co.uk>, Harriet Bazley
>> <har...@bazleyfamily.co.uk> wrote:
>>> All my bookmarked http:// links have stopped working, from
>>> http://www.google.co.uk to http://keapr.com and
>>> http://wttr.in/London.png?u I discovered by chance that editing a 's'
>>> into them (e.g. 'https://') solved the problem. Has the use of a
>>> non-encrypted connection to download non-sensitive data been
>>> prohibited in the last week?

>> Don't use a RISCOS browser much these days but I think you're right.
>> Went to a little used URL of a firm I know still exists via my
>> bookmarks and got the same. Changing to https found it again.

> But not every http site has an https equivalent. This is a horrendous bug.

Its not a bug, the world is moving on from insecure websites to secure
ones to improve security etc.

> It seems like blasphemy to say it but despite what some seem to think,
> including Google, some sites don't need a secure connection.

All the main browsers will start if not already warn you are accessing an
insecure site and Firefox now has an optional option to block them.

Even !NetSurf does if you look at the padlock in the URL bar, but does not
yet block insecure sites.

--
Chris Hughes

[Tim Hill]

In article <d9cafb06...@mytarbis.plus.com>, Chris Hughes

Contrary to what many - including Google - seem to think, some sites

[Chris Hughes]

In message <5906fe...@invalid.org.uk>

Well you soon will not be able access them! Its nothing to do with Google,
its to do with website security and reducing hacking, etc.

Plus most secure websites that involve financial transactions should now
be a minimum of TLS 1.2 and preferably TLS 1.3 - The main web browsers now
block or at minimum warn you are if they are not using those secure
protocols for financial transactions.

--
Chris Hughes

[Tim Hill]

In article <ad1f0207...@mytarbis.plus.com>, Chris Hughes

It's a huge leap from a hobbyist photographer with a few photos he wants
to show off to a banking website. Of course your money needs to be secure
but websites you don't log into in any way don't need to be https.

[Harriet Bazley]

On 2 Mar 2021 as I do recall,

Chris Hughes wrote:

> In message <2846f1065...@bazleyfamily.co.uk>
> Harriet Bazley <har...@bazleyfamily.co.uk> wrote:
>
> > All my bookmarked http:// links have stopped working, from
> > http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
> > I discovered by chance that editing a 's' into them (e.g. 'https://')
> > solved the problem. Has the use of a non-encrypted connection to
> > download non-sensitive data been prohibited in the last week?
>
> Just tried all your above links with http and they all worked fine in
> !NetSurf 3.10
>

What's even odder is that *I* just tried them from within my own
Usente post and this time they worked for me, as did some other links
from my bookmarks (although the majority redirected to an https site
without my intervention); only one link failed with the "Server
returned nothing (no headers, no data)" error I was getting universally
before.

--
Harriet Bazley == Loyaulte me lie ==

Please all, and you will please none.

[Richard Porter]

The date being 2 Mar 2021, Harriet Bazley <har...@bazleyfamily.co.uk>

If you convert a site from http to https you should put a bit of code in
the .htaccess file (in public_html) to convert any requests for http to go
to https instead. This is what I've done in of my sites:

RewriteEngine On
RewriteCond %{HTTP_HOST} minimarcos\.org\.uk [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://minimarcos.org.uk/$1 [R,L]

I also changed any http links on the site to https. This works fine except
for my PlusNet web space. PlusNet support is totally unhelpful when it
comes to web space and there's nothing I can do about it, so if you
request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or
an attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

[Tim Hill]

In article <39ebfa0...@user.minijem.plus.com>, Richard Porter

<ri...@minijem.plus.com> wrote:
> I also changed any http links on the site to https. This works fine
> except for my PlusNet web space. PlusNet support is totally unhelpful
> when it comes to web space and there's nothing I can do about it, so
> if you request https://www.minijem.plus.com/ you get:

> A privacy error occurred while communicating with
> www.minijem.plus.com this may be a site configuration error or an
> attempt to steal private information (passwords, messages or
> credit cards)

> The certificate is for a different host than the server.

> On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't
exist. Your cert only applies to https://minimarcos.org.uk/

--

Tim Hill
Webmaster, www.timil.com

websites : php : RISC OS

[News]

In article <39ebfa0...@user.minijem.plus.com>,
Richard Porter <ri...@minijem.plus.com> wrote:

> I also changed any http links on the site to https. This works fine
> except for my PlusNet web space. PlusNet support is totally
> unhelpful when it comes to web space and there's nothing I can do
> about it, so if you request https://www.minijem.plus.com/ you get:

> A privacy error occurred while communicating with
> www.minijem.plus.com this may be a site configuration error or
> an attempt to steal private information (passwords, messages
> or credit cards)

> The certificate is for a different host than the server.

Yes - I found that. However, I have just delved through their help
pages on their site and found the following.

Can I use my webspace with SSL security?

Yes you can. Just use https://homepages.plus.net/username/<page>

I have just tried that with my site and by golly it works. Thus you
do not appear to be able to use the direct url to your domain (in my
case chrisjohnson.plus.net) but must use the more lengthy version.

I am now away to change all refs to the old http url.

--
Chris Johnson

[Chris Hughes]

In message <590802...@invalid.org.uk>

Err no they are completely different sites you have listed, different
organisations in fact it appears!

--
Chris Hughes

[News]

In article <5908055f83c...@spamcop.net>,

News <chrisj...@spamcop.net> wrote:
> Can I use my webspace with SSL security?

Having delved a bit more I found more guidance. They actually say
that there is no need to use https for pages that do not need
encryption, but only for pages that are encrypted. I haven't really
seen that spelt out before.

--
Chris Johnson

[Tim Hill]

In article <645f0608...@mytarbis.plus.com>, Chris Hughes

<new...@noonehere.co.uk> wrote:
> In message <590802...@invalid.org.uk> Tim Hill <t...@invalid.org.uk>
> wrote:

[Snip]

> > That's because a secure version of http://www.minijem.plus.com/
> > doesn't exist. Your cert only applies to https://minimarcos.org.uk/

> Err no they are completely different sites you have listed, different
> organisations in fact it appears!

That's the point.

[Tim Hill]

In article <5908066d06c...@spamcop.net>, News

Pages only need to be encrypted if they contain or seek sensitive
information which could be changed or stolen by a man-in-the-middle
attack. I never received a satisfactory explanation from a https fanboi
at Google why a public photo album or scrapbook would need to be on an
encrypted website if there was no login.

"Because it should" seems to be the only justification. "It's our policy
to make the web more secure". No, it's a lazy "we'll just make the whole
web https then because it's the easiest, laziest solution and will suit
large companies and ISPs"!!

[Richard Porter]

Yes. The problem is that I have no way to create a secure version. I can't
even get at cgi-bin (they removed access without telling everyone). I
can't see the root directory.

Richard

[Richard Porter]

The date being 4 Mar 2021, News <chrisj...@spamcop.net> decided to
write:

> Yes - I found that. However, I have just delved through their help
> pages on their site and found the following.

> Can I use my webspace with SSL security?

> Yes you can. Just use https://homepages.plus.net/username/<page>

> I have just tried that with my site and by golly it works. Thus you
> do not appear to be able to use the direct url to your domain (in my
> case chrisjohnson.plus.net) but must use the more lengthy version.

> I am now away to change all refs to the old http url.

Thanks for that. I'll give it a try. Why couldn't PlusNet support tell me
that?

[Richard Porter]

The date being 4 Mar 2021, News <chrisj...@spamcop.net> decided to
write:

> Having delved a bit more I found more guidance. They actually say
> that there is no need to use https for pages that do not need
> encryption, but only for pages that are encrypted. I haven't really
> seen that spelt out before.

Well yes, but if you use relative links they inherit the base and
therefore the secure status. So in reality don't you need to have all
pages on the secure web site? Or else you can only have absolute links.

[News]

In article <5ae9200...@user.minijem.plus.com>,

Richard Porter <ri...@minijem.plus.com> wrote:
> Thanks for that. I'll give it a try. Why couldn't PlusNet support
> tell me that?

Support??? 8(

--
Chris Johnson

[Richard Porter]

The date being 4 Mar 2021, Chris Hughes <new...@noonehere.co.uk> decided

There are links both ways between them. I have to be careful to use http
from minimarcos.org to minijem.plus.com. The other direction is no
problem. Just to complicate things I have minijem.org.uk which is an alias
for the PlusNet domain.

Of course if I was setting up the sites today I would have steered clear
of using any ISP domain in public. In fact I should have learned that
after Argonet went titsup, but I wasn't familiar with registering domain
names at that time.

[Chris Hughes]

In message <80bd230...@user.minijem.plus.com>

You could migrate your websites away from PlusNet to a proper hosting
company.

Most of the Customer Service staff do not even know that some long term
users have webspace, or that there is access to usenet. If you have issues
best idea is go on the Community forums where a far few of the remaining
long serving staff are.

BT who own PlusNet made nearly all the staff sign new contracts last
September I understand to be on the same terms as the BT retail staff, so
a few longer serving staff left sadly.

--
Chris Hughes

[Theo]

Tim Hill <t...@invalid.org.uk> wrote:
> Pages only need to be encrypted if they contain or seek sensitive
> information which could be changed or stolen by a man-in-the-middle
> attack. I never received a satisfactory explanation from a https fanboi
> at Google why a public photo album or scrapbook would need to be on an
> encrypted website if there was no login.

1. Surveillance
Ask Mr Snowden about that, but also tracking companies gathering data about
you. If your packets transit an unfriendly country, expect what you look at
to be logged and sieved for interesting things. Your ISP may profile you
and sell on the data to advertisers.

2. Hijacking.
If I sit on the same network as you - for example the wifi network in a cafe
- I can hijack your HTTP sessions. That means as well as changing what you
see and where any links might go, I can run malicious Javascript on
your machine. I can make your machine download malicious files. I can
inject exploits for JS or browser vulnerabilities.

3. Cookie stealing
Given I can hijack your sessions, I may also present as some website you do
care about and steal their cookies. Now I can login to the real website as
you. (there are mitigations against this attack, but there's always
somebody who doesn't do it right)


Basically any time you use HTTP you have to trust every network between you
and the endpoint, and we don't any more live in a world where they are
trustworthy. With HTTPS you still have to trust the endpoint, but you don't
have to care about the network in between.

Theo

[Steve Fryatt]

On 2 Mar, Tim Hill wrote in message
<59070b...@invalid.org.uk>:

> It's a huge leap from a hobbyist photographer with a few photos he wants
> to show off to a banking website. Of course your money needs to be secure
> but websites you don't log into in any way don't need to be https.

But given that it's easy to do and doesn't cost the user anything in most
cases (assuming that they have even a half-decent webhost), why not just do
it?

--
Steve Fryatt - Leeds, England

http://www.stevefryatt.org.uk/

[Tim Hill]

In article <mpro.qpjip501...@stevefryatt.org.uk>, Steve Fryatt

<ne...@stevefryatt.org.uk> wrote:
> On 2 Mar, Tim Hill wrote in message <59070b...@invalid.org.uk>:

> > It's a huge leap from a hobbyist photographer with a few photos he
> > wants to show off to a banking website. Of course your money needs to
> > be secure but websites you don't log into in any way don't need to be
> > https.

> But given that it's easy to do

The level of difficulty involved is not the point.

> and doesn't cost the user anything in
> most cases (assuming that they have even a half-decent webhost), why
> not just do it?

Doesn't cost the user anything in most cases? Have you never used a
commercial ISP?

[Steve Fryatt]

On 6 Mar, Tim Hill wrote in message
<5908f9...@invalid.org.uk>:

> Doesn't cost the user anything in most cases? Have you never used a
> commercial ISP?

Yes, thanks. I've not yet encountered a cheap shared hosting provider that
doesn't throw in Let's Encrypt for "free" on a basic Linux hosting setup.
Judging by the discussion on the ROOL forum the other week when this came up
there, neither has anyone else[1].

That's "free", by the way, because it would probably be more accurate to say
that they don't knock anything off the price for /not/ using HTTPS.


1. I was the odd one out without HTTPS on my site, and when I finally got
around to looking into it, a quick message to my host's support folk had
Let's Encrypt enabled in five minutes. The other sites that I look after
(WROCC, Wakefield Show, theatre) have all had HTTPS enabled for a while.

[Tim Hill]

[snip]

Thanks, Theo. That's a better explanation than anyone at Google ever put
forward, though credentials should only be stored for secure websites, of
course and very hard to fake that to steal them.

The important thing is risk. We all take one every time we step outside
the front door. Could my local Costa have a man-in-the-middle lurking on
its WiFi to get at my HTTP sessions? It could. With the emphasis on
'could'.

Is it likely though?

Of course, documented cases of it happening to members of the public
would be useful in order to illustrate the risks involved but you're more
likely to find links for tools to carry it out than any evidence of it
happening like that. That's not to say that commercial organisations
haven't been targeted with a form of MITM attacks but I gather the bad
guys prefer phishing to get their malicious software onto corporate
systems because it's easier to do than spoof their way onto a corporate
network to then lurk and inject.

[Tim Hill]

In article <mpro.qpjxh904...@stevefryatt.org.uk>, Steve Fryatt

<ne...@stevefryatt.org.uk> wrote:
> On 6 Mar, Tim Hill wrote in message <5908f9...@invalid.org.uk>:

> > Doesn't cost the user anything in most cases? Have you never used a
> > commercial ISP?

[Snip]

> That's "free", by the way, because it would probably be more accurate
> to say that they don't knock anything off the price for /not/ using
> HTTPS.

It's the free-to-entice-you ones (or 'included with broadband') who seem
to want to charge extra. A little investigation soon revealed to me that
I could upgrade one package from free to EUR 3 a month to switch to https
(which is about the same as hosting packages that charge EUR 3 a month
but throw in 'free' https!) but they also increase storage too so
tempting anyway as I'm at >80% and it will only get bigger.

Needless to say, the ISP with whom I have 'free unlimited webspace' turns
out to be 'free http webspace' but their certificates are fairly cheap
and I am using about 7.5 GB of their servers so can't complain really.

> 1. I was the odd one out without HTTPS on my site, and when I finally
> got around to looking into it, a quick message to my host's support
> folk had Let's Encrypt enabled in five minutes. The other sites that I
> look after (WROCC, Wakefield Show, theatre) have all had HTTPS enabled
> for a while.

Yes, it's easy and thanks to RISC OS-side utilities, really easy to
change any self-referencing http to https. I was just being selfish about
the actual cost to me of multiple domains, I suppose. I have already
changed one site to https and it was a simple matter of using the ISP's
web interface and handing over some dosh. It was easier than having to
reorganise a few .eu domains and things like redirecting all http
requests to https was just a click.

I daresay I'll get around to all of them eventually thanks to inertia and
search rankings but RISC OS browsers must continue to work with local
development versions of web sites and not expect the local RISC OS web
server to be endowed with encryption. ;-)

[Theo]

Tim Hill <t...@invalid.org.uk> wrote:
> [snip]
>
> Thanks, Theo. That's a better explanation than anyone at Google ever put
> forward, though credentials should only be stored for secure websites, of
> course and very hard to fake that to steal them.
>
> The important thing is risk. We all take one every time we step outside
> the front door. Could my local Costa have a man-in-the-middle lurking on
> its WiFi to get at my HTTP sessions? It could. With the emphasis on
> 'could'.
>
> Is it likely though?

It's a straightforward attack vector, so why not? If there's targets of
sufficient value, somebody will do it. Maybe not your local Costa, but
perhaps the one in Westminster? Just drop a phone running suitable software
down the back of the sofa and walk away.

Given that everyone has a browser that does HTTPS already[1], why not enable
it for every site? It takes a small amount of server setup and that's it,
it's no longer a problem.

Theo

[1] OK, there's probably someone running Doggysoft Webite out there. Apart
from you.

[David Higton]

In message <5908fe...@invalid.org.uk>

Tim Hill <t...@invalid.org.uk> wrote:

> [snip]
>
> Thanks, Theo. That's a better explanation than anyone at Google ever put
> forward, though credentials should only be stored for secure websites, of
> course and very hard to fake that to steal them.
>
> The important thing is risk. We all take one every time we step outside the
> front door. Could my local Costa have a man-in-the-middle lurking on its
> WiFi to get at my HTTP sessions? It could. With the emphasis on 'could'.
>
> Is it likely though?

By the time you discover that it did, it's already too late for you.

David

[David Higton]

In message <5908f9...@invalid.org.uk>

I use a commercial ISP. I pay £11.99 pa for my web space. The upgrade
from http to https was free; I needed to contact their support people,
which was free, quick and very professional.

So the upgrade (I assume that's specifically what we mean) was indeed
free for me.

You don't need to get a certificate from the provider. Mine comes from
Let's Encrypt (no surprise there). What I didn't realise was that the
website provider would renew the cert automatically, at no extra cost
to me.

So the upgrade is still free overall after several renewals.

I can't see any reason /not/ to go to https.

I'm also working on upgrading a special http server of my own to https,
hence the discussions in the ROOL fora about AcornSSL server
functionality. After that, snooping on my home automation commands
will go from unlikely to impossible.

David

[Richard Porter]

The date being 4 Mar 2021, Chris Hughes <new...@noonehere.co.uk> decided
to write:

> You could migrate your websites away from PlusNet to a proper hosting
> company.

Yes, I do have a reseller hosting arrangement and an alias domain name so
that would be quite easy. The problem is that I have a lot of inbound
links from around the world, so I'd need to redirect http requests, but
not email.

[Nick Roberts]

In message <lqb*e4...@news.chiark.greenend.org.uk>

I am the author and maintainer of a complex LAMP site on a corporate
intranet at my workplace.

Because
(a) the network not accessible by the internet (the only link between
this network and the internet is footnet), and

and (b) all users must have logged on to the corporate network via a
corporately owned machine with a set of restrictive windows group
policies that would make the typical government IT security officer nod
approvingly ...

then illegitimate accessing of the site would indicate that our security
people have got a lot more serious issues to worry about than whether
anyone is attempting to steal any http packets.

Yet even in that environment, Chrome tries to convert all protocols to
https. It's really frustrating for users, to the extent that I'm
currently looking at how to let the site self-certificate, which is
less than straightforward (and probably against our corporate security
policy anyway).

--
Nick Roberts tigger @ orpheusinternet.co.uk

Hanlon's Razor: Never attribute to malice that which
can be adequately explained by stupidity.