Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign uphttps://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/ (and potentially enabling HSTS?) #2754
Comments
ghost
changed the title from
https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/
to
https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/ (and potentially enabling HSTS?)
Apr 18, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
@marmarek, can you control this via Cloudflare's settings? |
andrewdavidwong
added
C: website
task
labels
Apr 18, 2017
andrewdavidwong
added this to the
Documentation/website milestone
Apr 18, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Apr 18, 2017
Member
I've added http://qubes-os.org/ -> https://qubes-os.org/ redirect in CF, but now github pages redirect https://qubes-os.org/ -> http://www.qubes-os.org/ ...
Ok, added the second redirect also at CF level. Now the only issue reported by hsts preload is missing includeSubDomains. But for this we need to be sure that really all subdomains use HTTPS.
|
I've added http://qubes-os.org/ -> https://qubes-os.org/ redirect in CF, but now github pages redirect https://qubes-os.org/ -> http://www.qubes-os.org/ ... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Apr 18, 2017
Member
But for this we need to be sure that really all subdomains use HTTPS.
The ones that I'm aware of appear to, but I don't have access to an exhaustive list.
The ones that I'm aware of appear to, but I don't have access to an exhaustive list. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Apr 18, 2017
Member
The list isn't that long. Looks like all of them do support https. But not all have redirects http->https. I guess it's irrelevant here (for HSTS preload)?
I'm wondering about yum.qubes-os.org and deb.qubes-os.org. AFAIR there were some problems with https and APT repositories. Does APT (or any non-browser http client) care about HSTS?
|
The list isn't that long. Looks like all of them do support https. But not all have redirects http->https. I guess it's irrelevant here (for HSTS preload)? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
No idea. Maybe @adrelanos knows? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Apr 19, 2017
Member
Does APT care about HSTS?
No, and I haven't found any discussions about having apt-get do that either. Looks like HSTS makes limited sense for apt-get? Either you add some https or http repositories. If it's https, it should really be used. And if it's http, it should not automagically upgrade to https. I guess?
No, and I haven't found any discussions about having apt-get do that either. Looks like HSTS makes limited sense for apt-get? Either you add some https or http repositories. If it's https, it should really be used. And if it's http, it should not automagically upgrade to https. I guess? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Ok, enabled includeSubDomains. Lets hope I didn't missed anything... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ghost
Jun 30, 2017
@marmarek @andrewdavidwong This has been implemented https://hstspreload.org/?domain=qubes-os.org
Please close the issue.
ghost
commented
Jun 30, 2017
|
@marmarek @andrewdavidwong This has been implemented https://hstspreload.org/?domain=qubes-os.org Please close the issue. |
ghost commentedApr 18, 2017
•
edited by ghost
Edited 1 time
-
ghost
edited Apr 18, 2017 (most recent)
https://qubes-os.org redirects to an insecure page: http://www.qubes-os.org/.
http://qubes-os.orgshould immediately redirect tohttps://qubes-os.org(and then to https://www.qubes-os.org) Take a look at: https://hstspreload.org/?domain=qubes-os.orgBy solving the issues above the Qubes-os.org website will get added to the HSTS Preload list (which is used by the main web browsers, Chrome, Firefox, ...) to force HTTPS.