Project

General

Profile

Actions
Copy link

tickets #2934

closed

Issue with strict-transport-security on opensuse.org

Added by mkranch@Princeton.EDU almost 10 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Servers hosted in Provo
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Opensuse,

I am a graduate student doing a study on the implementation issues with preloaded and dynamic strict-transport-security at Princeton university. In a crawl of the top 10000, I found your site (https://www.opensuse.org) is one of quite a few that sets a valid STS header ('strict-transport-security', 'max-age=86400’) but then redirects to a non-secure site 'http://www.opensuse.org/en/(or /de or whatever dependent on language). Below I am including the full header. Your site does eventually end up secure so you must have another check compensating for the redirect from https to http that redirects back to https but this methodology is clearly not ideal. I believe this internal compensation is what is causing your certificate to show the error "This website does not supply ownership information.” The two main reasons for this error on a HTTPS site is if "you requested a page over HTTP” or "you requested a page over HTTPS, but the page contains mixed passive content”. Finally, you have a minor issue with the base (non www) redirects. http://opensuse.org redirects but https://opensuse.org is an invalid site (does not redirect). I hope you find these comments useful. Let me know if you have any questions where I can provide further information, thank you for being open source, and good luck with the site!

Sincerely,
Michael Kranch

Full https://www.opensuse.org header:
[('content-length', '0'), ('via', '1.1 www.opensuse.org (Access Gateway-ag-BFC678DFBE6884C5-227470080)'), ('x-powered-by', 'PHP/5.3.17'), ('set-cookie', 'ZNPCQ003-33363700=c46c216f; Path=/; Domain=.opensuse.org, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/'), ('expires', 'Tue, 22 Jul 2014 00:27:13 GMT'), ('server', 'Apache/2.2.12 (Linux/SUSE)'), ('x-mag', 'BFC678DFBE6884C5;2aaac39e;227470080;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;openwww_root;publicURL->0;openwww;RwDis;FF1End->0;FP2->0;WS=c46c216f;FP4->1;'), ('strict-transport-security', 'max-age=86400'), ('location', 'http://www.opensuse.org/en/'), ('cache-control', 'max-age=3600'), ('date', 'Mon, 21 Jul 2014 23:27:13 GMT'), ('content-type', 'text/html')]

Actions
Copy link
 #1

Updated by Anonymous almost 10 years ago

  • Assignee set to 160

Thank you for your report. We will look into it soon

Actions
Copy link
 #2

Updated by Anonymous over 9 years ago

  • Category set to Servers hosted in Provo
Actions
Copy link
 #3

Updated by MatthewEhle almost 9 years ago

  • Status changed from New to In Progress

We have made some progress on this.

The main issue is the mixed content. This has been fixed in several key places, such as the main page, but a lot of this is still going to happen on pages that pull in non-HTTPS resources. I'm not sure there is a resolution to this other than community education and encouragement to link HTTPS wherever possible.

Actions
Copy link
 #4

Updated by tampakrap over 8 years ago

  • Private changed from Yes to No
Actions
Copy link
 #5

Updated by MatthewEhle over 8 years ago

  • Status changed from In Progress to Resolved

Marking this as resolved. The items here have either been resolved, or will not be resolved for various reasons.

Actions
Copy link

Also available in: Atom PDF