Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Not strictly a httpd specific issue but nevertheless, Chrome/Firefox should ignore the header because it is not delivered with a valid certificate and thus there is no way of knowing if it was actually issued by the website.

You should get the expected result if you first respond with an HSTS header in a valid TLS request and then future requests should be prevented from proceeding if there is a certificate error.

This is why HSTS are being preloaded for major websites as that would to cover the first request. For your average website there isn't currently a solution to this.



Kind Regards,

Scott

First Class Watches
9 Warwick Road
Kenilworth
CV8 1HD
Warwickshire
United Kingdom

On 6 October 2014 22:36, Eddie B <eddie@xxxxxxxxxxxxxxx> wrote:

I have an https server that sets the HSTS header, but up to date Chrome (and other HSTS compatible browsers, such as Firefox 32) still let the user proceed to HTTPS. Isn’t the specific reason HSTS exists to prevent users from proceeding?

 

Here’s the server: http://pastebin.com/JFJw1m40

 

How is this possible?


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux