[OSM-talk] HTTPS all the Things (Automated Edit)

Joseph Reeves iknowjoseph at gmail.com
Tue Feb 26 13:45:06 UTC 2019 

This certificate question from Andy is a good one, and is the final reason
I'm emailing to say I would vote against this proposed edit:

   1. I can't see the security risk you're trying to protect against. We
   are looking at applications that use OSM data and will refer users to third
   party websites; what is the risk of a malicious user MiTM'ing a http
   request to a restaurant website (for example) and sending me to location
   other than the https version of the site? What web clients are you
   expecting this applies to?
   2. I can see in the comments of your diary entry that you were told
   about HSTS recently. I'm not trying to be offensive, but that shows you're
   not a HTTPS / web security expert. Do you really think you're the person to
   be making world wide automatic changes to the database? As an aside, HSTS
   is interesting here because the website operator is saying "only use this
   domain over https", but at that point, we don't need to make changes to the
   database because the web client should be aware of the HSTS preload list;
   the protocol listed in the referrer is not relevant.
   3. Again, are you checking https certificates? Do you know that the
   https site actually works?
   4. Are you checking the redirect code? Do you differentiate between
   temporary and permanent redirects?
   5. Are redirects even that bad? If I was to set up some careful
   redirects and have them ignored by a bot that thinks it knows better, I may
   be a little annoyed. What about geographic redirects? http://example.com
   becomes https://de.example.com, for example.
   6. A different, but related issue: You say you "abhor www", but does
   that mean you should be making changes based on this? What about the people
   that like www. ? www. and the bare domain can be different hosts, so what
   about the small number of cases in which people host a different site on
   the bare domain? I notice your own domain resolves a different IP for the
   bare domain and the www subdomain.

I can see that you want to promote https adoption, but I can't see that the
OSM database is the place to do it. In the end, the website operator is
responsible for deciding upon transport security, or not, and in how they
publicise their sites; working with site operators, I think there is better
work to be done encouraging https adoption outside of OSM, or more advanced
topics such as HSTS. I also think you could explore the applications that
use OSM data, and determine if they're using resources such as the HSTS
preload list.

I don't think there has been enough consideration of some of the issues
here, and I think an automated bot edit would create a lot of noise without
any obvious improvements.

Cheers, Joseph



On Tue, 26 Feb 2019 at 13:14, Andy Townsend <ajt1047 at gmail.com> wrote:

> On 26/02/2019 12:34, Bryce Jasmer wrote:
> > Correct. No change will be made on anything other than the most
> > straightforward of redirects. So even http://example.com ->
> > https://example.com/home.aspx will be ignored.
>
> What about certificate checking?  Suppose someone primarily uses http://
> for accessing their server, but has either a self-signed certificate on
> https:// or an untrusted / expired one (perhaps they were testing).
> Presumably in that case you wouldn't change http:// to https:// ?
>
> Best Regards,
>
> Andy
>
>
> _______________________________________________
> talk mailing list
> talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20190226/51ff7a11/attachment.html>

More information about the talk mailing list