On Thu, Feb 11, 2016 at 12:05 AM, Nigel Metheringham <[email protected]> wrote:
> Suspect you may have something like a https-everywhere plugin on your > browser pushing it to an https URL. > > We do not serve the base website (exim.org or www.exim.org) over TLS > currently - attempting to get these over TLS will fail in interesting an > likely amusing ways. There has been a change in that the parts that are > served over TLS (on the same IP) do now set a strict https only policy. > > I've currently no intention of changing this unless there is a strong > argument to do so (argument to not do so is key management is a pain). > > Had a presence of mind at last to check headers: :~$ wget -SO /dev/null https://exim.org/ --2016-02-11 01:13:33-- https://exim.org/ Resolving exim.org (exim.org)... 131.111.8.88 Connecting to exim.org (exim.org)|131.111.8.88|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: Bugzilla_login_request_cookie=CbKuem8Y0N; path=/; secure; HttpOnly Date: Wed, 10 Feb 2016 22:13:34 GMT X-xss-protection: 1; mode=block X-frame-options: SAMEORIGIN X-content-type-options: nosniff Strict-Transport-Security: max-age=63072000; includeSubdomains; preload See the Strict-Transport-Security header? That's the culprit. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security *HTTP Strict Transport Security* (*HSTS*) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks <https://en.wikipedia.org/wiki/Protocol_downgrade_attack> and cookie hijacking <https://en.wikipedia.org/wiki/Session_hijacking>. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS <https://en.wikipedia.org/wiki/HTTPS> connections,[1] <https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#cite_note-https-1> and never via the insecure HTTP protocol. HSTS is an IETF <https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force> standards track <https://en.wikipedia.org/wiki/Internet_standard> protocol and is specified in RFC 6797 <https://tools.ietf.org/html/rfc6797>. Why it doesn't bite me when I launch firefox without Ghostery, Adblock+ and NoScript, but through SOCKSv5 proxy and under another user I cannot fathom. But if it is your intention to serve exim.org over http, you should remove that header. It just might be that I hit some of the domains in https mode and HSTS mode got set for the whole domain, maybe with some weird dependency on the certificate. Also, what is the bugzilla cookie doing here? -- ./lxnt -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
