Opened 5 years ago

Closed 5 years ago

#7584 closed defect (fixed)

HTTPS Everywhere breaks links from PubMed to BiomedCentral

Reported by: cypherpunks Owned by: MB
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: schoen Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Using Firefox with HTTPS Everywhere add-on, start here:

https://www.ncbi.nlm.nih.gov/pubmed/23116330

With HTTPS Everywhere enabled, click the link in the top-right corner, "Read Free Full Text at BioMedCentral"

This will lead to

http://www.biomedcentral.com:443/1756-0500/5/610/abstract

and produce this error:

<!DOCTYPE HTML PUBLIC "-IETFDTD HTML 2.0EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a href="https://127.0.0.1/"><b>https://127.0.0.1/</b></a></blockquote></p>
<hr>
<address>Apache/2.2.16 (Debian) Server at 127.0.0.1 Port 443</address>
</body></html>

Manually replacing "http" with "https" produces the correct page.

With the "BioMed-Central" rule in HTTPS Everywhere disabled, the link works as expected (albeit without switching to https).

I am using HTTPS-E 3.0.4 on Firefox 17.0 (Fedora 17)

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by pde

Cc: schoen added
Owner: changed from pde to MB
Priority: normalmajor
Status: newassigned

comment:2 Changed 5 years ago by schoen

The trouble is that BiomedCentral itself is sending invalid 302 redirects in response to what "should" be valid HTTPS URLs (i.e., HTTPS versions of valid HTTP URLs, on a site where this normally works). I think the problem is essentially that BiomedCentral accepts HTTPS for all resources on www.biomedcentral.com, but whenever a URL is accessed that produces a 302, the 302 destination is invalid.

< HTTP/1.1 302 Moved Temporarily
< Date: Mon, 10 Dec 2012 22:27:26 GMT
< Server: Apache/2.2.16 (Debian)
< Set-Cookie: UUID=c2fab02d-5f6b-4f94-996a-94018028522a; Path=/
< Location: http://www.biomedcentral.com:443/1756-0500/5/610/abstract

It would be possible to add an exclusion for all URLs that generate a 302 (if we knew what they were), or to create rewrite rules that mimic the effect of the 302s except correctly (if we knew what they were!), but I am wary of this because I think there are potentially many URLs that generate 302s (and perhaps the 302 redirect target even varies from article to article!). So, we will disable this rule for now and I'll write to the BiomedCentral webmasters about this.

Although I will try to see if I can rewrite the http://www.biomedcentral.com:443/ to https://www.biomedcentral.com/ myself (!). Yikes.

comment:3 Changed 5 years ago by schoen

Resolution: fixed
Status: assignedclosed

Yuck, that worked. :-(

Note: See TracTickets for help on using tickets.