Finish update JOSM to https Redirect port 80 to https?

[stoecker]

Stats:

Current test file has 1000000 lines (makes stats easy :-):

• https: 692439
• http: 307561
  • apt: 73791
  • svn: 44824
  • josm: 5615
  • bots:114034
  • ?: 69297

Means 30% is still http, where 11% (apt+svn+josm) should be https. Only 11% bot traffic is not really wanted and could stay http. Probably half of the last section are viruses, the rest legitimate accesses which probably should be https as well.

Drop HTTPS and redirect to port 443?

[Don-vip]

In Main we still have the following:

    /**
     * Returns the JOSM XML URL.
     * @return the josm XML URL
     * @since 6897
     */
    public static String getXMLBase() {
        // Always return HTTP (issues reported with HTTPS)
        return "http://josm.openstreetmap.de";
    }

I don't remember why.

[stoecker]

I would leave that. Otherwise we redefine our data format.

We're anyway one of the minority where the XML base is really a valid link. Nearly nobody else does this. It will work also in future, but then with a redirect.

[Don-vip]

ok.

[Don-vip]

In 13454/josm:

see #16009 - fix last http -> https links

[Don-vip]

Otherwise, I'm ok with redirection to https :)

[Hb---]

Version 13457 does not show up on Windows 7 64 bit. It gets stuck with the debug line:

FEIN: powershell -Command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest ​https://roottest-g2.pkioverheid.nl

No problem on Ubuntu 16.04.3.

[stoecker]

The XML-URL's stay valid without redirect ;-) Everything perfect...

[stoecker]

Reading

​BAD TRAFFIC - Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?

I think there is one more point verifying our constant work to switch to https.

[Don-vip]

Yes I guess this was quite easy for a government to corrupt our Windows installer... Are we "as safe as possible" now?

[stoecker]

Replying to Don-vip:

Are we "as safe as possible" now?

Not "as possible", but "as sensible". Some possible techniques are bullshit in my eyes and other s which I think more useful aren't really usable yet.

So for the server we could say: Yes.
Other sources: Not yet, but in progress.

[stoecker]

We have still more than 900 http entries in the Imagery. I think many of these could actually be https. I wanted to add it to the SyncChecker, but more than 900 is a bit much even if not marked in red ...

[stoecker]

Status after the major rework last weeks:

• 164 domains use http instead of https
• 375 link use http
• One domain (ge.ch) used http and https, but the https link is broken for the specified http URL

i.e. more than half of the 900 links are fixed now.

Command to print remaining domains:

perl -ne 'print "$2 [$1]\n" if /http(s?):\/\/(.*?)\//;' imagery_josm.imagery.xml |sort -u |perl -ne '/(.*) \[(s?)\]/; print "$1\n" if $a ne $1 && !$2; print "$1 BOTH\n" if $a eq $1; $a = $1;'

[stoecker]

See #16123 for special imagery https ticket.