[u-u] oeb.ca geo-blocked?

[Dan Astoorian]

A lot of modern browsers now seem to default to https://, and fall back 
to http:// if it is not available.

There's been a push for some time to make https:// the default for the 
web, which makes some sense.  As long as browsers default to http://, a 
DNS attack is sufficient to redirect traffic from http://oeb.ca to an 
https:// site of the attacker's choosing (e.g., they could register 
www.oeb-on.ca and get a LetsEncrypt cert for that domain, and redirect 
http://oeb.ca to https://www.oeb-on-ca).

Even without an http redirect, I get sent to https://oeb.ca upon typing 
"oeb.ca" into the address bar in any of Firefox 128.5.1esr, Chromium 
131.0.6778.139, or Microsoft Edge 131.0.2903.99 on my AlmaLinux 8 
workstation.

Cf. https://blog.chromium.org/2023/08/towards-https-by-default.html .

-- 
Dan Astoorian, Systems Administrator
Engineering Computing Facility
University of Toronto

On 2025-02-13 10:09, Giles Orr wrote:
>> On February 11, 2025 11:07:26 AM EST, Bruce Becker <bdb at 0123456789-abcdefghijklmnopqrstuvw.xyz> wrote:
>>> on F/F, "oeb.ca" times out altho "oeb.ca/" works as expected
>>>
>>>       On Tuesday, February 11, 2025 at 10:29:25 a.m. EST, Evan Leibovitch <evan at telly.org> wrote:
>>>
>>>   Not sure if it's geo-blocking, but something is definitely weird.
>>> >From deep inside 416, oeb.ca times out on Firefox but works fine on Brave. Try switching browsers.
>>> On Tue, Feb 11, 2025 at 8:47 AM Andrew Cagney <andrew.cagney at gmail.com> wrote:
>>>
>>> It seems that oeb.ca isn't accessible outside of Fordtopia (for
>>> instance, from .au and .eu say).  Would anyone know if this is
>>> intentional.
>>> Andrew
> On Tue, 11 Feb 2025 at 11:35, William Kisin <uu at sunlight.ca> wrote:
>> Using Firefox on my Android tablet:
>>
>> oeb.ca  fails
>> oeb.ca/  fails
>> http://oeb.ca  fails
>> https://oeb.ca  works
>>
>> William (Willie) Kisin
> I've managed to set up a server that behaved exactly the same.  This
> is bad server administration from whoever is running the web server.
>
> Interestingly, they've been clever enough to block the server
> announcing its server type:
>
> $ curl -I https://oeb.ca/
> HTTP/1.1 302 Found
> Date: Thu, 13 Feb 2025 15:04:49 GMT
> Server:
> Location: https://www.oeb.ca/
> Content-Type: text/html; charset=iso-8859-1
>
> But not clever enough to manage the redirect from http: to https:.
> Which means 99.9% of the population won't manage to get to this site
> because just typing "oeb.ca" uses http: which should then redirect to
> https: as it does on nearly every other server on the planet.  I
> expect this will be fixed soon, although you never know.
>
> "Never attribute to malice that which is adequately explained by stupidity."
>