[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Pools & HSTS header
From: |
William Hay |
Subject: |
Re: [Sks-devel] Pools & HSTS header |
Date: |
Fri, 3 Jun 2016 20:43:03 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, Jun 03, 2016 at 04:49:57PM +0200, Christoph Egger wrote:
> Well.
>
> http://pool.sks-keyservers.net(:11371)? --redirect-->
> https://keyserver.siccegge.de
>
> And if keyserver.siccegge.de present a valid certificate + HSTS would be
> a problem no? (and potentially undetected if the pool script mainly
> checks API pages)
You don't specify what hostname keyserver.siccegge.net presents
a valid for which is kind of key.
If it does an http redirect to https://keyserver.siccegge.de
which presents a certificate for keyserver.siccegge.de then it is
keyserver.sicegge.de that will go into the https only list which is fine
since keyserver.siccegge.de supports https.
If it does an http redirect to https://pool.sks-keyservers.net then
unless keyserver.siccege.de has a certificate in that name the browser
will start complaining loudly and won't even see the HSTS header.
William
signature.asc
Description: Digital signature