tickets #2934
closedIssue with strict-transport-security on opensuse.org
0%
Description
Opensuse,
I am a graduate student doing a study on the implementation issues with preloaded and dynamic strict-transport-security at Princeton university. In a crawl of the top 10000, I found your site (https://www.opensuse.org) is one of quite a few that sets a valid STS header ('strict-transport-security', 'max-age=86400’) but then redirects to a non-secure site 'http://www.opensuse.org/en/(or /de or whatever dependent on language). Below I am including the full header. Your site does eventually end up secure so you must have another check compensating for the redirect from https to http that redirects back to https but this methodology is clearly not ideal. I believe this internal compensation is what is causing your certificate to show the error "This website does not supply ownership information.” The two main reasons for this error on a HTTPS site is if "you requested a page over HTTP” or "you requested a page over HTTPS, but the page contains mixed passive content”. Finally, you have a minor issue with the base (non www) redirects. http://opensuse.org redirects but https://opensuse.org is an invalid site (does not redirect). I hope you find these comments useful. Let me know if you have any questions where I can provide further information, thank you for being open source, and good luck with the site!
Sincerely,
Michael Kranch
Full https://www.opensuse.org header:
[('content-length', '0'), ('via', '1.1 www.opensuse.org (Access Gateway-ag-BFC678DFBE6884C5-227470080)'), ('x-powered-by', 'PHP/5.3.17'), ('set-cookie', 'ZNPCQ003-33363700=c46c216f; Path=/; Domain=.opensuse.org, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/'), ('expires', 'Tue, 22 Jul 2014 00:27:13 GMT'), ('server', 'Apache/2.2.12 (Linux/SUSE)'), ('x-mag', 'BFC678DFBE6884C5;2aaac39e;227470080;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;openwww_root;publicURL->0;openwww;RwDis;FF1End->0;FP2->0;WS=c46c216f;FP4->1;'), ('strict-transport-security', 'max-age=86400'), ('location', 'http://www.opensuse.org/en/'), ('cache-control', 'max-age=3600'), ('date', 'Mon, 21 Jul 2014 23:27:13 GMT'), ('content-type', 'text/html')]
Updated by Anonymous almost 10 years ago
- Assignee set to 160
Thank you for your report. We will look into it soon
Updated by Anonymous almost 10 years ago
- Category set to Servers hosted in Provo
Updated by MatthewEhle almost 9 years ago
- Status changed from New to In Progress
We have made some progress on this.
The main issue is the mixed content. This has been fixed in several key places, such as the main page, but a lot of this is still going to happen on pages that pull in non-HTTPS resources. I'm not sure there is a resolution to this other than community education and encouragement to link HTTPS wherever possible.
Updated by MatthewEhle almost 9 years ago
- Status changed from In Progress to Resolved
Marking this as resolved. The items here have either been resolved, or will not be resolved for various reasons.