***: ziyourenxiang has joined #arpnetworks
mhoran: OK, I think it was some combination of weird cached things and then redirects that weren't working. https://graphs.arpnetworks.com just redirects to arpnetworks.com, and I think the HSTS somewhere was then getting cached.
But if I go to https://graphs.arpnetworks.com/cacti/ it works.
(After clearing all my cache and history.)
***: ziyourenxiang has quit IRC (Ping timeout: 246 seconds)
brycec: For me, https://graphs.arpnetworks.com does NOT redirect to arpnetworks.com, it redirects to /cacti/. Also, it's not serving an HSTS header.
But if I try http://graphs.arpnetworks.com
But if I try http://graphs.arpnetworks.com it DOES redirect to arpnetworks.com. (And no HSTS header in that response, or the response from https://arpnetworks.com)
^ I've had this same issue with portal.arpnetworks.com -- I type "portal.arpnetworks.com" in my browser and end up at https://arpnetworks.com, but if I make sure to type https://portal.arpnetworks.com I end up where I wanted to be.
Long story short... (portal|graphs).arpnetworks.com:80 really ought to redirecto the https://&:443 and _not_ https://arpnetworks.com, very jarring user experience
mhoran: +1
Yeah I just presumed an HSTS header because of how it was behaving and I was confused.
brycec: I think ARP used to have an HSTS header but with not all the subdomains setup for https, they pulled it because they weren't comfortable.
mercutio: i think hsts was only ever on the main web site
lg.arpnetworks.com doesn't have https
brycec: Right, right. That's my recollection as well. BUT HSTS is typically recomended with "includeSubdomains" (IIRC) flag set so it causes browsers to assume *.arpnetworks.com are HSTS
mercutio: ah
to my mind what is better is when you get put into google etc with HSTS
like prepopulating
brycec: mercutio: You're referring to https://hstspreload.org/ ?
Of course, the easy way into that is to just have a domain under a TLD that's preloaded.
mercutio: looks to be
i don't remember it being quite so easy
brycec: It's been quite that easy for a few years now :P
mercutio: it needs includesubdomains for that
maybe doing includesubdomains isn't such a bad idea, thoughts, up_the_irons ?
brycec: mercutio: No there are whole TLDs that are on the list already. Like .dev and .vodka
I think arpnetworks.vodka has a nice ring to it
mercutio: haha
i didn't know that
brycec: .google is another well-known (I think) [g]TLD that's on the HSTS list. With or without server headers, every web page served from a *.google domain is automatically HSTS'd, including all subdomains etc
mercutio: i didn't know there was a .google even
so many new TLD now!
tbh i don't pay much attention to domain names anymore
i use google to search for what i want generally
brycec: oof the HSTS list has grown quite a bit since I last looked https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
(Correction, .vodka is not on the HSTS list, I misread something)
mercutio: i prefer gin
that's pretty cool
***: ziyourenxiang has joined #arpnetworks
ziyourenxiang has quit IRC (Remote host closed the connection)