[Ach] lists.cert.at should default to https: HTTP 302 redirect and *always* HSTS

L. Aaron Kaplan aaron at lo-res.org
Tue Feb 24 11:49:28 CET 2015


On Feb 20, 2015, at 9:23 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> hi all--
> 
> i was looking at the ACH archives, and i noticed that
> http://lists.cert.at/lists/index.html does not redirect the user agent
> to https, even though the https version provides a
> Strict-Transport-Security header.
> 
> Could the list archive admins please provide an HTTP 302 redirect when
> the cleartext version of the page is requested?

I forwarded this request. Thanks for catching this.

>  This won't defend
> against an active attacker (who could strip the 302 redirect) but it's
> still useful for clients whose initial contact with the site is only
> over networks with at most passive adversaries.
> 
Agreed.

> 
> I think you want something like this:
> 
> <VirtualHost 83.136.38.154:80>
>        ServerName lists.cert.at
>        RewriteEngine On
>        RewriteRule /(.*) https://lists.cert.at/$1
> </VirtualHost>
> 
> 
> Also, i note that the internal 302 redirect from https://lists.cert.at/
> to https://lists.cert.at/lists/index.html doesn't provide the STS
> header, even though the target page does.
> 
> I suspect the Apache config has something like:
> 
>   Header add Strict-Transport-Security "max-age=15768000"
> 
> but this only has an effect on HTTP 2xx responses.
> 
> You probably want:
> 
>   Header always add Strict-Transport-Security "max-age=15768000"
> 
> see https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
> 
> This is also useful to ensure that you serve an STS header on an HTTP
> 404 response.
> 
> (it's also recommended on page 11 of the current applied-crypto-hardening.pdf)

;-)

> 
> hth,
> 
>        --dkg
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20150224/70bd139b/attachment.sig>


More information about the Ach mailing list