Xfce Community Web Forum

Darac Marjal mailinglist at darac.org.uk
Mon Mar 23 11:24:21 CET 2015


On Sun, Mar 22, 2015 at 03:27:49AM +0000, Wes Gregg wrote:
>    Okay, what is the trick for getting to the website using "http" instead of
>    "https?" I've tried typing:
>    forum.xfce.org - tries to get in using https
>    [code]http://forum.xfce.org[/code] tries to get in using https
>    [code]www.forum.xfce.org[/code] not found
>    I'm using Firefox (36.0.1) in linux (Mint Xfce) if it makes any
>    difference.

The problem you have is that forum.xfce.org uses HSTS (HTTP Strict
Transport Security) which is a header that tells the browser "This
website should be connected to securely, do not attempt to connect to
the HTTP site).

There was a possible attack vector whereby an attack could get control
of a HTTP site, but not an HTTPS site, and could modify the HTTP site to
redirect elsewhere. Normally, a user would connect to http://example.org
and receive a redirect to https://example.org and know they're secure.
But with a compromised site, they could visit http://example.org, be
directed to http://malicious.example.net which would, say log their
visit or implant some malware and then redirect them on to
https://example.org.

With the new header, once a browser has connected to the HTTPS site, it
is basically told to never trust the HTTP site. So if you enter
http://example.org, the browser will not send a request to that site at
all. It will internally "correct" your command to https://example.org
and that will be it's first point of contact with the server.

Your options are, in that case:
 * Use a different browser, one that has never visited the HTTPS site
 * Wait for the HSTS header to expire (which is usually of the order of
    years)
 * Wait for the owner of the site to fix their certificate :)

>    Thanks!
>     
> 
>    --------------------------------------------------------------------------
> 
>    From: David <dgboles at gmail.com>
>    To: xfce at xfce.org
>    Sent: Friday, March 20, 2015 7:44 PM
>    Subject: Re: Xfce Community Web Forum
>    On 3/20/2015 6:22 PM, Charles A Edwards wrote:
>    > On Fri, 20 Mar 2015 17:37:44 -0400
>    > David wrote:
>    >
>    >
>    >
>    > If you connect using [1]http://forum.xfce.org/ there is no issue.
>    >
>    > If [2]https://forum.xfce.org/ is used all browsers will give the
>    > "Connection is Untrusted" error.
>    >
>    > "forum.xfce.org uses an invalid security certificate.
>    >
>    > The certificate expired on 03/19/2015 04:20 PM. The current time is
>    > 03/20/2015 06:16 PM.
>    >
>    > (Error code: sec_error_expired_certificate)"
>    >
>    >
>    >    Charles
> 
>    Hmm... hi Charles. You are correct sir!!  :-)
> 
>    So this means that their site cert works but not for 'Secret Squirrel'
>    stuff? Correct?  :-) Wow. Which makes me wonder just how unique that is?
> 
>    :-)
> 
>    --
> 
>      David
>    _______________________________________________
>    Xfce mailing list
>    [3]Xfce at xfce.org
>    [4]https://mail.xfce.org/mailman/listinfo/xfce
>    [5]http://www.xfce.org
> 
> References
> 
>    Visible links
>    1. http://forum.xfce.org/
>    2. https://forum.xfce.org/
>    3. mailto:Xfce at xfce.org
>    4. https://mail.xfce.org/mailman/listinfo/xfce
>    5. http://www.xfce.org/

> _______________________________________________
> Xfce mailing list
> Xfce at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce
> http://www.xfce.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <https://mail.xfce.org/pipermail/xfce/attachments/20150323/3eaf8a1c/attachment.sig>


More information about the Xfce mailing list