Page 1 of 1
STS and SSL in noscript.net website
Posted: Wed Dec 29, 2010 3:34 pm
by strel
Using Force TLS extension I've noticed noscript.net would be using STS HTTP header as it automatically adds to Force TLS list. The problem is that SSL version of noscript.net is not working properly. It just shows a InformAction OSS logo in the left top over a white background, and nothing else, making Force TLS or STS UI users, disable that extensions to access noscript.net
Re: STS and SSL in noscript.net website
Posted: Wed Dec 29, 2010 3:51 pm
by Giorgio Maone
noscript.net doesn't deploy SSL at all, because it's a high traffic (for my infrastructure at least) site which doesn't exchange any sensitive bit with its users.
It just happens to share its server location with one of the 4 secure.informaction.com instances, as you can easily find out by examining the SSL certificate (which you shouldn't have accepted on principle, because it's for a different host).
Therefore you should never open
https://noscript.net, and if you do Firefox should show you an error page and prevent you from doing it.
Furthermore, if Force TLS does process the STS header from noscript.net, which has an invalid certificate, it's a bug per specification:
draft-hodges-STS wrote:
7.1. Strict-Transport-Security Response Header Field Processing
If an HTTP response, received over a secure transport, includes a
Strict-Transport-Security HTTP Response Header field, conforming to
the grammar specified in Section 5.1 "Strict-Transport-Security HTTP
Response Header Field" (above), and there are no underlying secure
transport errors or warnings, the UA MUST either:
http://tools.ietf.org/html/draft-hodges ... 02#page-16
Re: STS and SSL in noscript.net website
Posted: Thu Dec 30, 2010 4:00 pm
by strel
Thx, I accepted it because I knew it was your company. I'll report the bug linking to here.
Re: STS and SSL in noscript.net website
Posted: Sat Jan 01, 2011 5:14 pm
by strel
I received response of Sid Stamm (Force TLS and STS UI programmer):
Thanks for the bug report. There are more spec-violation bugs in
Force-TLS since it is older than the spec -- I've neglected the add-on
a bit since I instead began to focus on building it into Firefox 4
(which does not have this bug).
Can you file a bug on the project site?
(http://code.google.com/p/force-tls/issu ... rom%20user)
When I have some time I'll fix it... or if you feel ambitious, please
submit a patch.
Thanks again,
Sid
The bug is yet filed in google code, and you're properly credited. I wanted you to know.
Re: STS and SSL in noscript.net website
Posted: Sat Jan 01, 2011 5:52 pm
by Giorgio Maone
Thank you.