New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accessing the blog tab of nuget.org - blog.nuget.org uses an invalid security certificate #2535

Closed
jmp75 opened this Issue Jun 8, 2015 · 8 comments

Comments

Projects
None yet
6 participants
@jmp75
Copy link

jmp75 commented Jun 8, 2015

Was looking for information about a possible API to analyse package stats - came across links to blog .nuget.org via google

Firefox 38.0.5
Windows7

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

blog.nuget.org uses an invalid security certificate. The certificate is only valid for the following names: www.github.com, github.com, *.github.com, *.github.io, github.io, *.githubusercontent.com, githubusercontent.com (Error code: ssl_error_bad_cert_domain)

@hickford

This comment has been minimized.

Copy link
Contributor

hickford commented Jun 8, 2015

Perhaps includeSubDomains is too strong in the Strict-Transport-Security header

Strict-Transport-Security: max-age=31536000; includeSubDomains

<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />

@hickford

This comment has been minimized.

Copy link
Contributor

hickford commented Jun 8, 2015

I think this has also broken http://status.nuget.org/ . Chrome and Firefox will use https://status.nuget.org/ which times out.

maartenba added a commit that referenced this issue Jun 8, 2015

@vcsjones

This comment has been minimized.

Copy link

vcsjones commented Jun 8, 2015

This is kind of a gnarly issue. Even if you remove the HSTS header, it'll still be broken for people that managed to capture HSTS header.

@maartenba

This comment has been minimized.

Copy link
Contributor

maartenba commented Jun 8, 2015

Yeah agreed. We're changing this to no longer include includeSubDomains. Once deployed (will notify via this GitHub issue), you will have to manually clear HSTS settings in your browser.

Here's a how-to: http://classically.me/blogs/how-clear-hsts-settings-major-browsers

@hickford

This comment has been minimized.

Copy link
Contributor

hickford commented Jun 8, 2015

Gnarly yes but (reading the spec carefully) I think after removing includeSubDomains browsing to https://www.nuget.org/ will update the browser cache, so you can get to http://blog.nuget.org again

@yishaigalatzer yishaigalatzer reopened this Jun 8, 2015

@vcsjones

This comment has been minimized.

Copy link

vcsjones commented Jun 8, 2015

@hickford that is my understanding as well.

@maartenba

This comment has been minimized.

Copy link
Contributor

maartenba commented Jun 9, 2015

Deployed, please visit www.nuget.org or clear HSTS in browser.

@maartenba maartenba closed this Jun 9, 2015

@vcsjones

This comment has been minimized.

Copy link

vcsjones commented Jun 9, 2015

Confirmed, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment