httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott (firstclasswatches.co.uk)" <scott.lu...@firstclasswatches.co.uk>
Subject Re: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
Date Mon, 06 Oct 2014 21:52:01 GMT
Hello,

Not strictly a httpd specific issue but nevertheless, Chrome/Firefox should
ignore the header because it is not delivered with a valid certificate and
thus there is no way of knowing if it was actually issued by the website.

You should get the expected result if you first respond with an HSTS header
in a valid TLS request and then *future* requests should be prevented from
proceeding if there is a certificate error.

This is why HSTS are being preloaded for major websites as that would to
cover the first request. For your average website there isn't currently a
solution to this.



Kind Regards,

Scott

First Class Watches
9 Warwick Road
Kenilworth
CV8 1HD
Warwickshire
United Kingdom

On 6 October 2014 22:36, Eddie B <eddie@mattermedia.com> wrote:

> I have an https server that sets the HSTS header, but up to date Chrome
> (and other HSTS compatible browsers, such as Firefox 32) still let the user
> proceed to HTTPS. Isn’t the specific reason HSTS exists to prevent users
> from proceeding?
>
>
>
> Here’s the server: http://pastebin.com/JFJw1m40
>
>
>
> How is this possible?
>

Mime
View raw message