[Ach] lists.cert.at should default to https: HTTP 302 redirect and *always* HSTS
L. Aaron Kaplan
aaron at lo-res.org
Tue Feb 24 11:49:28 CET 2015
On Feb 20, 2015, at 9:23 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> hi all--
> i was looking at the ACH archives, and i noticed that
> http://lists.cert.at/lists/index.html does not redirect the user agent
> to https, even though the https version provides a
> Strict-Transport-Security header.
> Could the list archive admins please provide an HTTP 302 redirect when
> the cleartext version of the page is requested?
I forwarded this request. Thanks for catching this.
> This won't defend
> against an active attacker (who could strip the 302 redirect) but it's
> still useful for clients whose initial contact with the site is only
> over networks with at most passive adversaries.
> I think you want something like this:
> <VirtualHost 184.108.40.206:80>
> ServerName lists.cert.at
> RewriteEngine On
> RewriteRule /(.*) https://lists.cert.at/$1
> Also, i note that the internal 302 redirect from https://lists.cert.at/
> to https://lists.cert.at/lists/index.html doesn't provide the STS
> header, even though the target page does.
> I suspect the Apache config has something like:
> Header add Strict-Transport-Security "max-age=15768000"
> but this only has an effect on HTTP 2xx responses.
> You probably want:
> Header always add Strict-Transport-Security "max-age=15768000"
> see https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
> This is also useful to ensure that you serve an STS header on an HTTP
> 404 response.
> (it's also recommended on page 11 of the current applied-crypto-hardening.pdf)
> Ach mailing list
> Ach at lists.cert.at
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach