Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repo Link: http:// -> https:// #87

Closed
NickCraver opened this issue Nov 18, 2018 · 6 comments
Closed

Repo Link: http:// -> https:// #87

NickCraver opened this issue Nov 18, 2018 · 6 comments
Labels
Infrastructure

Comments

@NickCraver
Copy link
Member

The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as http://referencesource.microsoft.com/ when everything has moved to https:// now. Can we please update this setting to https://referencesource.microsoft.com/?
@jakesays-old
Copy link

jakesays-old commented Nov 18, 2018
edited

This isn't an issue because http:/ redirects to https:/ for the urls in question.

@NickCraver
Copy link
Member Author

It is an issue, because someone can intercept and change that redirect. The only mitigation for such (short of changing the link) is HSTS preloading. That domain is not on the HSTS preload list nor is it even sending the header.

@jakesays-old
Copy link

jakesays-old commented Nov 18, 2018 via email

@NickCraver
Copy link
Member Author

I don't think it's necessary to get into "why https://?" here in the issue - that's just another copy of the discussion on the internet. sslstrip is one example (of many). But anyone in control of your connection or DNS (e.g. any public WiFi) can send the connection where they want. Or any malicious browser extensions (e.g. Chrome store buyouts), etc. The point is: there are lots of ways. If you're curious, search for http => https hijacking to see many examples.

The basics are: you can't have a secure connection to anything if first hopping through an insecure one. This redirect is no different.

@terrajobst
Copy link
Member

The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as http://referencesource.microsoft.com/ when everything has moved to https:// now. Can we please update this setting to https://referencesource.microsoft.com/?

Which setting are you referring to?

@terrajobst
Copy link
Member

After @NickCraver explained it to me, I was able to fix this :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@NickCraver @jakesays-old @terrajobst