On 11/02/16 00:37, Marcin Gryszkalis wrote: > > From my point of view - this is little misconfiguration - the admin should > setup small virtual host that would be default for https - without HSTS and > probably redirecting to http://www.exim.org (so the bugzilla wouldn't be the > default one). >
I think that the important thing is that https://exim.org needs to not have the "includeSubdomains" option on the HSTS header [unless *.exim.org really can be accessed over HTTPS with valid certs]. There is no great advantage to dropping HSTS entirely, as far as I can see [either way an affected user would need to load https://exim.org following the change, and it would independently make sense that http://exim.org and https://exim.org serve up the same site]. I'd also suggest that it would make sense to add a cert for www.exim.org, especially since an unknown number of people may already be effectively locked out and may either be unaware that they can clear this state from their browser or believe that it indicates an actual problem. I don't know what aspect of key management is a concern to Nigel - but if additional keys would be a headache then a SAN/wildcard cert to replace the current bugs.exim.org+exim.org one would be a way to avoid that. Dominic -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
