[Ach] lists.cert.at should default to https: HTTP 302 redirect and *always* HSTS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 20 21:23:44 CET 2015

hi all--

i was looking at the ACH archives, and i noticed that
http://lists.cert.at/lists/index.html does not redirect the user agent
to https, even though the https version provides a
Strict-Transport-Security header.

Could the list archive admins please provide an HTTP 302 redirect when
the cleartext version of the page is requested?  This won't defend
against an active attacker (who could strip the 302 redirect) but it's
still useful for clients whose initial contact with the site is only
over networks with at most passive adversaries.

I think you want something like this:

        ServerName lists.cert.at
        RewriteEngine On
        RewriteRule /(.*) https://lists.cert.at/$1

Also, i note that the internal 302 redirect from https://lists.cert.at/
to https://lists.cert.at/lists/index.html doesn't provide the STS
header, even though the target page does.

I suspect the Apache config has something like:

   Header add Strict-Transport-Security "max-age=15768000"

but this only has an effect on HTTP 2xx responses.

You probably want:

   Header always add Strict-Transport-Security "max-age=15768000"

see https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

This is also useful to ensure that you serve an STS header on an HTTP
404 response.

(it's also recommended on page 11 of the current applied-crypto-hardening.pdf)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150220/de479b8f/attachment.sig>

More information about the Ach mailing list