Xfce Community Web Forum
Darac Marjal
mailinglist at darac.org.uk
Mon Mar 23 11:24:21 CET 2015
On Sun, Mar 22, 2015 at 03:27:49AM +0000, Wes Gregg wrote:
> Okay, what is the trick for getting to the website using "http" instead of
> "https?" I've tried typing:
> forum.xfce.org - tries to get in using https
> [code]http://forum.xfce.org[/code] tries to get in using https
> [code]www.forum.xfce.org[/code] not found
> I'm using Firefox (36.0.1) in linux (Mint Xfce) if it makes any
> difference.
The problem you have is that forum.xfce.org uses HSTS (HTTP Strict
Transport Security) which is a header that tells the browser "This
website should be connected to securely, do not attempt to connect to
the HTTP site).
There was a possible attack vector whereby an attack could get control
of a HTTP site, but not an HTTPS site, and could modify the HTTP site to
redirect elsewhere. Normally, a user would connect to http://example.org
and receive a redirect to https://example.org and know they're secure.
But with a compromised site, they could visit http://example.org, be
directed to http://malicious.example.net which would, say log their
visit or implant some malware and then redirect them on to
https://example.org.
With the new header, once a browser has connected to the HTTPS site, it
is basically told to never trust the HTTP site. So if you enter
http://example.org, the browser will not send a request to that site at
all. It will internally "correct" your command to https://example.org
and that will be it's first point of contact with the server.
Your options are, in that case:
* Use a different browser, one that has never visited the HTTPS site
* Wait for the HSTS header to expire (which is usually of the order of
years)
* Wait for the owner of the site to fix their certificate :)
> Thanks!
>
>
> --------------------------------------------------------------------------
>
> From: David <dgboles at gmail.com>
> To: xfce at xfce.org
> Sent: Friday, March 20, 2015 7:44 PM
> Subject: Re: Xfce Community Web Forum
> On 3/20/2015 6:22 PM, Charles A Edwards wrote:
> > On Fri, 20 Mar 2015 17:37:44 -0400
> > David wrote:
> >
> >
> >
> > If you connect using [1]http://forum.xfce.org/ there is no issue.
> >
> > If [2]https://forum.xfce.org/ is used all browsers will give the
> > "Connection is Untrusted" error.
> >
> > "forum.xfce.org uses an invalid security certificate.
> >
> > The certificate expired on 03/19/2015 04:20 PM. The current time is
> > 03/20/2015 06:16 PM.
> >
> > (Error code: sec_error_expired_certificate)"
> >
> >
> > Charles
>
> Hmm... hi Charles. You are correct sir!! :-)
>
> So this means that their site cert works but not for 'Secret Squirrel'
> stuff? Correct? :-) Wow. Which makes me wonder just how unique that is?
>
> :-)
>
> --
>
> David
> _______________________________________________
> Xfce mailing list
> [3]Xfce at xfce.org
> [4]https://mail.xfce.org/mailman/listinfo/xfce
> [5]http://www.xfce.org
>
> References
>
> Visible links
> 1. http://forum.xfce.org/
> 2. https://forum.xfce.org/
> 3. mailto:Xfce at xfce.org
> 4. https://mail.xfce.org/mailman/listinfo/xfce
> 5. http://www.xfce.org/
> _______________________________________________
> Xfce mailing list
> Xfce at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce
> http://www.xfce.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <https://mail.xfce.org/pipermail/xfce/attachments/20150323/3eaf8a1c/attachment.sig>
More information about the Xfce
mailing list