tickets #2934
closedIssue with strict-transport-security on opensuse.org
0%
Description
Opensuse,
I am a graduate student doing a study on the implementation issues with preloaded and dynamic strict-transport-security at Princeton university. In a crawl of the top 10000, I found your site (https://www.opensuse.org) is one of quite a few that sets a valid STS header ('strict-transport-security', 'max-age=86400’) but then redirects to a non-secure site 'http://www.opensuse.org/en/(or /de or whatever dependent on language). Below I am including the full header. Your site does eventually end up secure so you must have another check compensating for the redirect from https to http that redirects back to https but this methodology is clearly not ideal. I believe this internal compensation is what is causing your certificate to show the error "This website does not supply ownership information.” The two main reasons for this error on a HTTPS site is if "you requested a page over HTTP” or "you requested a page over HTTPS, but the page contains mixed passive content”. Finally, you have a minor issue with the base (non www) redirects. http://opensuse.org redirects but https://opensuse.org is an invalid site (does not redirect). I hope you find these comments useful. Let me know if you have any questions where I can provide further information, thank you for being open source, and good luck with the site!
Sincerely,
Michael Kranch
Full https://www.opensuse.org header:
[('content-length', '0'), ('via', '1.1 www.opensuse.org (Access Gateway-ag-BFC678DFBE6884C5-227470080)'), ('x-powered-by', 'PHP/5.3.17'), ('set-cookie', 'ZNPCQ003-33363700=c46c216f; Path=/; Domain=.opensuse.org, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/, lb_opensuse=NDODEBIJ; Domain=.opensuse.org; Path=/'), ('expires', 'Tue, 22 Jul 2014 00:27:13 GMT'), ('server', 'Apache/2.2.12 (Linux/SUSE)'), ('x-mag', 'BFC678DFBE6884C5;2aaac39e;227470080;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;openwww_root;publicURL->0;openwww;RwDis;FF1End->0;FP2->0;WS=c46c216f;FP4->1;'), ('strict-transport-security', 'max-age=86400'), ('location', 'http://www.opensuse.org/en/'), ('cache-control', 'max-age=3600'), ('date', 'Mon, 21 Jul 2014 23:27:13 GMT'), ('content-type', 'text/html')]