On 11/02/16 00:37, Marcin Gryszkalis wrote:
>
> From my point of view - this is little misconfiguration - the admin should
> setup small virtual host that would be default for https - without HSTS and
> probably redirecting to http://www.exim.org (so the bugzilla wouldn't be the
> default one).
>
I think that the important thing is that
https://exim.org needs to not
have the "includeSubdomains" option on the HSTS header [unless
*.exim.org really can be accessed over HTTPS with valid certs]. There is
no great advantage to dropping HSTS entirely, as far as I can see
[either way an affected user would need to load
https://exim.org
following the change, and it would independently make sense that
http://exim.org and
https://exim.org serve up the same site].
I'd also suggest that it would make sense to add a cert for
www.exim.org, especially since an unknown number of people may already
be effectively locked out and may either be unaware that they can clear
this state from their browser or believe that it indicates an actual
problem.
I don't know what aspect of key management is a concern to Nigel - but
if additional keys would be a headache then a SAN/wildcard cert to
replace the current bugs.exim.org+exim.org one would be a way to avoid that.
Dominic
