----- Original Message ----- > From: "Kurt Roeckx" <[email protected]> > To: [email protected] > Sent: Tuesday, August 5, 2014 2:59:30 PM > Subject: Re: Removal of 1024 bit CA roots - interoperability > > On 2014-08-05 14:22, Hubert Kario wrote: > > 0.05% of sites doesn't mean 0.05% of users, especially if we look at local, > > not global, > > user share. Some of them are high profile sites, e.g.: > > volkswagen.at, dell.com, cadillaceurope.com, www.portaldasfinancas.gov.pt > > It's not because they have an https site that people actually use it > over https. > > so testing those sites: > - dell.com: Doesn't work without www. It's not mentioned in your other > mail, but dell.cl and dell.com.br are. They all send the same > certificate, and that's not valid for those hostnames. > - cadillaceurope.com: it's not valid without www.
sites which are presented without www are as such because they resolve to the same IP addresses than the sites that do have the www prefix/host part, this is an artefact of the way the scanning script works. Additionally, just because a site doesn't redirect to https, doesn't mean that it doesn't use it ever. It may use it for login for administrators, it may use it only when asking for personally identifiable information, only for specific subpages, etc. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
