From owner-freebsd-questions@FreeBSD.ORG Tue Oct 27 08:09:42 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B92381065679 for ; Tue, 27 Oct 2009 08:09:42 +0000 (UTC) (envelope-from bennett@cs.niu.edu) Received: from mp.cs.niu.edu (mp.cs.niu.edu [131.156.145.41]) by mx1.freebsd.org (Postfix) with ESMTP id 7DFDF8FC08 for ; Tue, 27 Oct 2009 08:09:42 +0000 (UTC) Received: from mp.cs.niu.edu (bennett@localhost [127.0.0.1]) by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id n9R88vYl011843; Tue, 27 Oct 2009 03:08:57 -0500 (CDT) Date: Tue, 27 Oct 2009 03:08:57 -0500 (CDT) From: Scott Bennett Message-Id: <200910270808.n9R88vMU011842@mp.cs.niu.edu> To: freebsd-questions@freebsd.org, Michael Powell Cc: Alexander Best Subject: Re: howto use https in favour of http X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 08:09:42 -0000 On Mon, 26 Oct 2009 23:40:48 -0400 Michael Powell wrote: >Steve Bertrand wrote: > >> Alexander Best wrote: >>> Olivier Nicole schrieb am 2009-10-27: >>>> Hi, >>> >>>>> i've added the following line to my /etc/hosts: >>> >>>>> permail.uni-muenster.de:25 permail.uni-muenster.de:443 >>> >>>>> so what i want is for freebsd to never use http, but https for that >>>>> address. >>>>> unfortunately hosts doesn't seem to support this syntax. >>> >[snip] >>> >>> i'm not using a webserver or anything. i'm just a regular user. the point >>> is: i often forget to specify https://... for that specific address in >>> apps like lynx or firefox. that's why the non-ssl version of that site is >>> being loaded. i'd like freebsd to take care of this so even if the app is >>> trying to access the non-ssl version it should in fact be redirected to >>> the ssl version by freebsd. >> >> I thought that this is what you were originally after. >> >> FreeBSD, in itself, can't do this... much like Mac OS or Windows can't >> do this. >> >> Most applications such as Firefox can't even do this (inherently). >> >> If you are trying to enforce this as a personal/company policy, you will >> need to write a 'wrapper' around your application (lynx/firefox) to do >> this. >> >> Note that your example was :25->:443, which implied SMTP over SSL... >> >> Nonetheless, FreeBSD can't make these decisions inherently (thankfully). >> >> Steve > >I think the OP does not have a clear grasp on how the various protocols >operate. Evidenced by confusing http with mail services. Yes, I know there >is 'web mail', but even web based mail is still a web server. > >It is up to the server operator to configure the services on the server end >of things. Whether its SMTP with SSL/TLS, HTTP/HTTPS, pop3 or imap with SSL, >etc., all of these things are made to work at the server end. True enough a >client may need to be configured to talk on port 995 for pop3/SSL or port >993 for IMAP/SSL but for the web a client shouldn't need to do anything. > >The web server operator configures which locations in his URI space should >be served up on port 443, and the client's browser should automatically >switch to HTTPS based upon this. The OP doesn't seem to understand that he >doesn't need to make this happen on his end, at least as far as HTTP/HTTPS >goes. All of this is true, but it is also true that many web sites offer part or all of their content pages by both protocols, which allows a client to fetch such pages by his/her choice of protocol. For such sites, it can be quite helpful to have a way to tell the browser to prefer, or even require, one or the other. > >If he is actually trying to configure a mail client to talk TLS or SSL to an >SMTP server, then he needs to tell the email client software this. E.g., >"This connection requires encryption" and whether it is SSL or TLS. Mail >servers on port 25 do not use HTTP or HTTPS, but rather SMTP. > >So it seems as if he is just very confused. > Definitely the case. However, this list is intended to provide help to users at all levels of experience and understanding. What has been overlooked in all of the above discussion is that there *is* some help available for the OP. A plug-in is available for Firefox that should *always* be installed ASAP after Firefox has been installed unless you don't give a rat's ass about browser security. The plug-in is called "NoScript". (Other highly recommended Firefox security plug-ins include QuickJava, SafeCache, Torbutton, Better Privacy, etc.) Directions for the OP: after installing NoScript and restarting Firefox, bring up the NoScript Options panel. You can do this either by clicking on "Tools" in the Firefox menu bar at the top of the window and then on "Add-ons" or "Plug-ins" or some such, depending upon the Firefox version. This will bring up a panel listing all installed plug-ins. Find the entry for NoScript, click on the entry (not a button, though) to select it, then click on its "Preferences" button. Two alternative methods of getting to the same NoScript Options panel depend upon what you see at the bottom of the main Firefox window. If you see a bar inside the window at the bottom that says something about scripts with an "Options..." button at the right, clock on the "Options" button and then on the "Options..." line at the top of the resulting menu. The other alternative method is available when there is a capital letter "S" in a circle in the bottom Firefox status bar. Right-click on this "S", which may have a slash through it or other decorations, to get a slightly differently ordered menu. Click on the "Options..." line of this menu to get the NoScript Options panel. Once the NoScript Options panel is visible, click on the "Advanced" tab at the righthand end of the sequence of tabs. This will display some "subtabs" below the main tabs. Click again on the righthandmost tab, which says, "HTTPS". A third line of tabs should appear, containing just two tabs: "Behavior" and "Cookies". The "Behavior" tab is the one you want. You should be able to figure out what to do from there, but basically you can identify a site by host+domainname (e.g., www.sitename.com) into the upper or lower box, depending upon whether you wish to force connections to use HTTPS or instead to force connections *not* to use HTTPS. You may also specify an entire domain (e.g., *.sitename.com). Note, however, that you can tell the browser which protocol to use to request a page, but if the server does not offer service by that protocol you will get only an error page, as was implied by Michael Powell's remarks quoted above. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************