[Ach] lists.cert.at should default to https: HTTP 302 redirect and *always* HSTS
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Feb 20 21:23:44 CET 2015
hi all--
i was looking at the ACH archives, and i noticed that
http://lists.cert.at/lists/index.html does not redirect the user agent
to https, even though the https version provides a
Strict-Transport-Security header.
Could the list archive admins please provide an HTTP 302 redirect when
the cleartext version of the page is requested? This won't defend
against an active attacker (who could strip the 302 redirect) but it's
still useful for clients whose initial contact with the site is only
over networks with at most passive adversaries.
I think you want something like this:
<VirtualHost 83.136.38.154:80>
ServerName lists.cert.at
RewriteEngine On
RewriteRule /(.*) https://lists.cert.at/$1
</VirtualHost>
Also, i note that the internal 302 redirect from https://lists.cert.at/
to https://lists.cert.at/lists/index.html doesn't provide the STS
header, even though the target page does.
I suspect the Apache config has something like:
Header add Strict-Transport-Security "max-age=15768000"
but this only has an effect on HTTP 2xx responses.
You probably want:
Header always add Strict-Transport-Security "max-age=15768000"
see https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
This is also useful to ensure that you serve an STS header on an HTTP
404 response.
(it's also recommended on page 11 of the current applied-crypto-hardening.pdf)
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150220/de479b8f/attachment.sig>
More information about the Ach
mailing list