/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/ (and potentially enabling HSTS?) #2754

Closed
ghost opened this Issue Apr 18, 2017 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
3 participants
@andrewdavidwong @marmarek @adrelanos
@ghost

ghost commented Apr 18, 2017
edited by ghost
Edited 1 time
  • @ghost ghost edited Apr 18, 2017 (most recent)

https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/. http://qubes-os.org should immediately redirect to https://qubes-os.org (and then to https://www.qubes-os.org) Take a look at: https://hstspreload.org/?domain=qubes-os.org

By solving the issues above the Qubes-os.org website will get added to the HSTS Preload list (which is used by the main web browsers, Chrome, Firefox, ...) to force HTTPS.

@ghost ghost changed the title from https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/ to https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/ (and potentially enabling HSTS?) Apr 18, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Apr 18, 2017

Member

@marmarek, can you control this via Cloudflare's settings?
Member

andrewdavidwong commented Apr 18, 2017

@marmarek, can you control this via Cloudflare's settings?

@andrewdavidwong andrewdavidwong added C: website task labels Apr 18, 2017

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone Apr 18, 2017

@andrewdavidwong
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 18, 2017

Member

I've added http://qubes-os.org/ -> https://qubes-os.org/ redirect in CF, but now github pages redirect https://qubes-os.org/ -> http://www.qubes-os.org/ ...
Ok, added the second redirect also at CF level. Now the only issue reported by hsts preload is missing includeSubDomains. But for this we need to be sure that really all subdomains use HTTPS.
Member

marmarek commented Apr 18, 2017

I've added http://qubes-os.org/ -> https://qubes-os.org/ redirect in CF, but now github pages redirect https://qubes-os.org/ -> http://www.qubes-os.org/ ...
Ok, added the second redirect also at CF level. Now the only issue reported by hsts preload is missing includeSubDomains. But for this we need to be sure that really all subdomains use HTTPS.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Apr 18, 2017

Member

But for this we need to be sure that really all subdomains use HTTPS.

The ones that I'm aware of appear to, but I don't have access to an exhaustive list.
Member

andrewdavidwong commented Apr 18, 2017

But for this we need to be sure that really all subdomains use HTTPS.

The ones that I'm aware of appear to, but I don't have access to an exhaustive list.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 18, 2017

Member

The list isn't that long. Looks like all of them do support https. But not all have redirects http->https. I guess it's irrelevant here (for HSTS preload)?
I'm wondering about yum.qubes-os.org and deb.qubes-os.org. AFAIR there were some problems with https and APT repositories. Does APT (or any non-browser http client) care about HSTS?
Member

marmarek commented Apr 18, 2017

The list isn't that long. Looks like all of them do support https. But not all have redirects http->https. I guess it's irrelevant here (for HSTS preload)?
I'm wondering about yum.qubes-os.org and deb.qubes-os.org. AFAIR there were some problems with https and APT repositories. Does APT (or any non-browser http client) care about HSTS?
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Apr 18, 2017

Member

No idea. Maybe @adrelanos knows?
Member

andrewdavidwong commented Apr 18, 2017

No idea. Maybe @adrelanos knows?
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Apr 19, 2017

Member

Does APT care about HSTS?

No, and I haven't found any discussions about having apt-get do that either. Looks like HSTS makes limited sense for apt-get? Either you add some https or http repositories. If it's https, it should really be used. And if it's http, it should not automagically upgrade to https. I guess?
Member

adrelanos commented Apr 19, 2017

Does APT care about HSTS?

No, and I haven't found any discussions about having apt-get do that either. Looks like HSTS makes limited sense for apt-get? Either you add some https or http repositories. If it's https, it should really be used. And if it's http, it should not automagically upgrade to https. I guess?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 19, 2017

Member

Ok, enabled includeSubDomains. Lets hope I didn't missed anything...
Member

marmarek commented Apr 19, 2017

Ok, enabled includeSubDomains. Lets hope I didn't missed anything...
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jun 30, 2017

@marmarek @andrewdavidwong This has been implemented https://hstspreload.org/?domain=qubes-os.org

Please close the issue.

ghost commented Jun 30, 2017

@marmarek @andrewdavidwong This has been implemented https://hstspreload.org/?domain=qubes-os.org

Please close the issue.

@marmarek marmarek closed this Jun 30, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment