Re: [exim] http://exim.org/ broken since Monday

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Alexander Sabourenkov
Data:  
Para: Nigel Metheringham
CC: Exim-Users
Asunto: Re: [exim] http://exim.org/ broken since Monday
On Thu, Feb 11, 2016 at 12:05 AM, Nigel Metheringham <nigel@???>
wrote:

> Suspect you may have something like a https-everywhere plugin on your
> browser pushing it to an https URL.
>
> We do not serve the base website (exim.org or www.exim.org) over TLS
> currently - attempting to get these over TLS will fail in interesting an
> likely amusing ways. There has been a change in that the parts that are
> served over TLS (on the same IP) do now set a strict https only policy.
>
> I've currently no intention of changing this unless there is a strong
> argument to do so (argument to not do so is key management is a pain).
>
>

Had a presence of mind at last to check headers:


:~$ wget -SO /dev/null https://exim.org/
--2016-02-11 01:13:33-- https://exim.org/
Resolving exim.org (exim.org)... 131.111.8.88
Connecting to exim.org (exim.org)|131.111.8.88|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: Bugzilla_login_request_cookie=CbKuem8Y0N; path=/; secure;
HttpOnly
Date: Wed, 10 Feb 2016 22:13:34 GMT
X-xss-protection: 1; mode=block
X-frame-options: SAMEORIGIN
X-content-type-options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload


See the Strict-Transport-Security header? That's the culprit.

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
*HTTP Strict Transport Security* (*HSTS*) is a web security policy
mechanism which helps to protect websites against protocol downgrade attacks
<https://en.wikipedia.org/wiki/Protocol_downgrade_attack> and cookie
hijacking <https://en.wikipedia.org/wiki/Session_hijacking>. It allows web
servers to declare that web browsers (or other complying user agents)
should only interact with it using secure HTTPS
<https://en.wikipedia.org/wiki/HTTPS> connections,[1]
<https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#cite_note-https-1>
and never via the insecure HTTP protocol. HSTS is an IETF
<https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force> standards
track <https://en.wikipedia.org/wiki/Internet_standard> protocol and is
specified in RFC 6797 <https://tools.ietf.org/html/rfc6797>.


Why it doesn't bite me when I launch firefox without Ghostery, Adblock+ and
NoScript, but through SOCKSv5 proxy and under another user I cannot fathom.

But if it is your intention to serve exim.org over http, you should remove
that header. It just might be that I hit some of the domains in https mode
and HSTS mode got set for the whole domain, maybe with some weird
dependency on the certificate.

Also, what is the bugzilla cookie doing here?

--

./lxnt