Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

308 Permanent Redirect #117

Open
mavit opened this issue Sep 29, 2020 · 10 comments
Open

308 Permanent Redirect #117

mavit opened this issue Sep 29, 2020 · 10 comments
Assignees
Labels
blocked Something has to happen first elsewhere compatibility Warnings, deprecations or incompatibilities to tackle enhancement New feature or request S2 Severity: 2 specs This involves changes in recommendations

Comments

@mavit
Copy link
Contributor

mavit commented Sep 29, 2020

I notice that 301 Moved Permanently is used to redirect from HTTP to HTTPS, but that this status code can cause POST requests to be transformed to GET requests.

There's a new code 308 Permanent Redirect which seems more appropriate, here. I understand it's not supported by IE 11 before Windows 10, but is there a reason it's not used in the Modern profiles?

@gene1wood
Copy link
Collaborator

Good point. Looks like browser support would map to Modern.

Anyone interested in PRing changes for Modern in your favorite server type to use 308?

@gene1wood gene1wood added the enhancement New feature or request label Apr 2, 2021
mavit added a commit to mavit/ssl-config-generator that referenced this issue Apr 3, 2021
Applies to the modern configuration only.

Relates to mozilla#117.
gstrauss added a commit to gstrauss/ssl-config-generator that referenced this issue Apr 5, 2021
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
gstrauss added a commit to gstrauss/ssl-config-generator that referenced this issue Sep 18, 2022
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
@gstrauss
Copy link
Collaborator

gstrauss commented Jan 5, 2024

According to the details in https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308, all web browsers listed on the page have supported 308 for over 8 years, with Edge, of course, being the last among them to add support for 308 in Edge 12 released 2015-07-28.

A year and a half ago, Microsoft published an article declaring IE 11 dead and buried. https://blogs.windows.com/windowsexperience/2022/06/15/internet-explorer-11-has-retired-and-is-officially-out-of-support-what-you-need-to-know/
Again, that was a year and a half ago and was not a surprise, IE having been long deprecated.

Internet Explorer 11 desktop app retirement FAQ (Published May 19 2021 08:55 AM)
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549
In an update to that article on or before May 18, 2023:

Update:
The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10.
Based on customer feedback, organizations will maintain control over when to remove IE11 UI elements from their devices.
Over the coming months a small subset of exceptional scenarios where IE11 is still accessible will be redirected to Edge, ensuring users access a supported and more secure Microsoft browser.

https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
Windows 8.1 end-of-life was 2023-01-10, a year ago.


IE has been actively disabled. The concerns raised in this issue are out-of-date.

This issue could have been resolved years ago with a simple choice:

  • Allow status code 308 to be used in templates without restriction
    or
  • Allow status code 308 to be used in Intermediate and Modern templates.

@gene1wood is there any open question that remains that would prevent this issue from being decided and resolved?

@janbrasna
Copy link
Collaborator

EOL or not, the intermediate claims to support it:

"oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"],

which hasn't changed since the issue opened.

No problem for modern, as mentioned above.

In intermediate there's one UA running one OS schannel that will break with this 🤷 (I know it's disabled by Edge updater in W10, but IIRC this mechanism doesn't disable IE11 on Server or W7/8 so there still might be live IE11 as shown by globalstats: 11=0.44%, i. e. not completely extinct 😢).

So unless there's new UA support matrix in the cards for the specs, this should not break now. (Read: Might need new specs version release with different UAs claimed to be supported; at the same time this might mean moving all DHE to old as that correlates with said EOLed UAs somewhat…) — or unless someone approves breaking the declared support UAs intentionally if they're "dead enough", without actually bumping the specs version and changing the supported clients list…

@gstrauss
Copy link
Collaborator

Please help me to understand. If software is end-of-life, then the "old" config applies. People using end-of-life software should not qualify for "intermediate" compatibility. The software they are using is end-of-life. Yes, people are using end-of-life software. It is obvious that it is not dead yet. However, end-of-life software should unquestionably qualify as "old" and nothing else.

Now, I have not checked end-of-life for Server W7/8, but would point out that web browsers should be used in a very, very limited fashion on Windows servers, as they are servers, and not client machines. Safer corporate configs block servers from direct access to the internet if they allow it at all.

@janbrasna
Copy link
Collaborator

@gstrauss I agree.

There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around. (And with it, even the ciphers needed to support them, so getting rid of EOL IE 11 AND DHE suites at the same time would be lovely.) — I just don't know what's the roadmap for v5.x specs and who (and when) should make the call it's about time to reassess the support matrix for 2024 perspective.

(The issue with "IE 11" as a client is a simplification to an extent, as it's similar to e. g. 2008 R2 Server or 2012 R2 Server, using the same SChannel they can't get more cipher updates for and are stuck with what's provided by the system network layer, where .NET applications can't use any alternative network stack, only the system SChannel. The R2 Server might be an API client, and the client limitations for the .NET app would be the same as for the IE11 browser unfortunately. So that explains the "web browsers use" on servers. For .NET on R2 Servers that basically means the whole network implementation that can't be replaced or circumvented.)

@gstrauss

This comment was marked as duplicate.

@gstrauss

This comment was marked as duplicate.

gstrauss added a commit to gstrauss/ssl-config-generator that referenced this issue Mar 14, 2024
x-ref:
  "308 Permanent Redirect"
  mozilla#117
  "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently"
  mozilla#137
@gstrauss

This comment was marked as duplicate.

@gstrauss
Copy link
Collaborator

gstrauss commented Oct 4, 2024

@janbrasna wrote:

There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around.

@gene1wood: Do you happen to know which group/committee at or affiliated with Mozilla does that? Is it the Security Assurance team at Mozilla? Is there an open request in an issue tracker or an open item for the project manager to review and refresh the specs?

@janbrasna janbrasna added S2 Severity: 2 compatibility Warnings, deprecations or incompatibilities to tackle specs This involves changes in recommendations labels Oct 8, 2024
@gstrauss
Copy link
Collaborator

@gene1wood Please take appropriate steps to engage decision makers and update the specs.

@janbrasna posted in #117 (comment) that the specs still have Intermediate supporting an embarrassingly old list of clients. Please escalate to get the specs updated.

End-of-life software is end-of-life. It should not be supported by Intermediate. (I can also argue that it should not be supported by Old because the software is END-OF-LIFE and no longer supported.)

@gstrauss gstrauss added the blocked Something has to happen first elsewhere label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Something has to happen first elsewhere compatibility Warnings, deprecations or incompatibilities to tackle enhancement New feature or request S2 Severity: 2 specs This involves changes in recommendations
Projects
None yet
Development

No branches or pull requests

4 participants