I mistakenly accessed https://llvm.org/ (httpS instead of plain HTTP). I'd expect either * HTTPS working * Redirection to the plain HTTP site * at worse, no reply from server. Instead, I got a 404 error: Not Found The requested URL / was not found on this server. I guess there's a misconfigured virtual host in the apache config.
Considering what http://llvm.org/apt/ offers, you'd expect https://llvm.org/apt/ to work, but it doesn't. Not even for the GPG key. Please enable secure downloads for the GPG key at the very least!
It'd also be nice if Bugzilla worked over HTTPS.
*** Bug 21649 has been marked as a duplicate of this bug. ***
Oddly, while https://llvm.org/PRnnnn returns a 404, http://llvm.org/PRnnnn will redirect to https://llvm.org/bugs/show_bug.cgi?id=nnnn
Also subsites like clang.llvm.org, when accessed via HTTPS, throw up a browser warning page because they are reporting their domain name as llvm.org... https://clang.llvm.org
*** Bug 31479 has been marked as a duplicate of this bug. ***
This was fixed at some point -- https://llvm.org/ isn't 404 anymore, but now shows the LLVM front page. (same as the insecure HTTP version of that URL) These sites mentioned in other comments all load fine for me, too: https://clang.llvm.org/ https://llvm.org/apt/ https://llvm.org/PR15653 (replacing "nnnn" with an actual bug number)
Thanks for fixing this issue. It's great security improvement ,)
Should I open a new bug to have http redirect automatically to https?
If you have auto-redirect to HTTPS set up you should also consider enabling HSTS to prevent downgrade attacks.