STS and SSL in noscript.net website
STS and SSL in noscript.net website
Using Force TLS extension I've noticed noscript.net would be using STS HTTP header as it automatically adds to Force TLS list. The problem is that SSL version of noscript.net is not working properly. It just shows a InformAction OSS logo in the left top over a white background, and nothing else, making Force TLS or STS UI users, disable that extensions to access noscript.net
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: STS and SSL in noscript.net website
noscript.net doesn't deploy SSL at all, because it's a high traffic (for my infrastructure at least) site which doesn't exchange any sensitive bit with its users.
It just happens to share its server location with one of the 4 secure.informaction.com instances, as you can easily find out by examining the SSL certificate (which you shouldn't have accepted on principle, because it's for a different host).
Therefore you should never open https://noscript.net, and if you do Firefox should show you an error page and prevent you from doing it.
Furthermore, if Force TLS does process the STS header from noscript.net, which has an invalid certificate, it's a bug per specification:
It just happens to share its server location with one of the 4 secure.informaction.com instances, as you can easily find out by examining the SSL certificate (which you shouldn't have accepted on principle, because it's for a different host).
Therefore you should never open https://noscript.net, and if you do Firefox should show you an error page and prevent you from doing it.
Furthermore, if Force TLS does process the STS header from noscript.net, which has an invalid certificate, it's a bug per specification:
http://tools.ietf.org/html/draft-hodges ... 02#page-16draft-hodges-STS wrote: 7.1. Strict-Transport-Security Response Header Field Processing
If an HTTP response, received over a secure transport, includes a
Strict-Transport-Security HTTP Response Header field, conforming to
the grammar specified in Section 5.1 "Strict-Transport-Security HTTP
Response Header Field" (above), and there are no underlying secure
transport errors or warnings, the UA MUST either:
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Re: STS and SSL in noscript.net website
Thx, I accepted it because I knew it was your company. I'll report the bug linking to here.
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Re: STS and SSL in noscript.net website
I received response of Sid Stamm (Force TLS and STS UI programmer):
Thanks for the bug report. There are more spec-violation bugs in
Force-TLS since it is older than the spec -- I've neglected the add-on
a bit since I instead began to focus on building it into Firefox 4
(which does not have this bug).
Can you file a bug on the project site?
(http://code.google.com/p/force-tls/issu ... rom%20user)
When I have some time I'll fix it... or if you feel ambitious, please
submit a patch.
Thanks again,
Sid
The bug is yet filed in google code, and you're properly credited. I wanted you to know.
Thanks for the bug report. There are more spec-violation bugs in
Force-TLS since it is older than the spec -- I've neglected the add-on
a bit since I instead began to focus on building it into Firefox 4
(which does not have this bug).
Can you file a bug on the project site?
(http://code.google.com/p/force-tls/issu ... rom%20user)
When I have some time I'll fix it... or if you feel ambitious, please
submit a patch.
Thanks again,
Sid
The bug is yet filed in google code, and you're properly credited. I wanted you to know.
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: STS and SSL in noscript.net website
Thank you.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13