Hacker News new | ask | show | jobs
by ReactiveJelly 1756 days ago
Maybe it's a buggy HTTPS redirect in GP's browser? Due to HSTS or something?

The HTTP version of your URL works fine. The HTTPS version has an expired cert. If I click past that, it redirects to redis.io, then gives a 404.

I know antirez is a smart guy, but if this is some kind of "I'm taking a bold stance against HTTPS" then I'd rather read the archive.org link with functioning HTTPS. My threat model prefers trusting archive.org to correctly reproduce the blog, over trusting everyone between me and antirez.com.
2 comments
codethief 1756 days ago
Wow, you just opened my eyes – I really thought he had deleted his blog! Must be the HTTPS Everywhere extension I'm using – though I really don't understand why it redirects me to redis.io just because antirez's TLS certificate is for redis.io, not antirez.com. I would really prefer a clear error message here.
link
cpach 1756 days ago
The web server(s) at antirez.com are weirdly configured. So it’s not so easy for the web browser to display a very clear error message in this case.

If you run this command you can see a little more clearly what’s going on:

  wget --no-check-certificate -S -O - https://antirez.com/news/124
If you use the plain HTTP URL, everything works fine.

If you try https://antirez.com/news/124 the web server at antirez.com:443 will answer this:

  HTTP/1.1 301 Moved Permanently
  Server: nginx/1.10.2
  Date: Sat, 04 Sep 2021 18:15:46 GMT
  Content-Type: text/html
  Content-Length: 185
  Connection: keep-alive
  Location: https://redis.io/news/124
So it’s not HTTPS Everywhere that redirects, it’s the web server itself.

However, many clients won’t heed this response, since antirez.com:443 serves a certificate that’s not valid for that hostname.

link
cratermoon 1756 days ago
Looks like the cert is for a different domain (redis.io) AND it expired August 7, 2020.
link
kyleee 1756 days ago
Let's hear more about your threat model that causes you to wory about nefarious content being injected into a blog post about comments in code
link
Gh0stRAT 1756 days ago
Not OP, but residential ISPs were caught injecting ads into HTTP sites at least as early as 2014. [0]

I certainly wouldn't trust Comcast to keep malicious ads out of their ad network, either.

[0] https://www.techdirt.com/articles/20140908/07191228453/comca...

link
sinsterizme 1756 days ago
How about not opening the gates for third parties to inject ads, trackers and crypto miners
link
cpach 1756 days ago
I agree that in this case (reading an article) HTTP is not a huge threat. But in 2021 I consider HTTPS + HSTS to be a basic hygiene factor.
link
brazzledazzle 1756 days ago
A bit snarky but I agree, it doesn’t seem like a huge threat. I’d love to be proven wrong though.
link