> On Jul 28, 2015, at 2:50 PM, Moshe Katz <mo...@ymkatz.net> wrote: > > On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera <vi...@khera.org > <mailto:vi...@khera.org>> wrote: > >> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman <ryan.cole...@cwis.biz> >> wrote: >> >>> I have an issue with Qualy’s: They ding my certification because I have >>> domain.com >>> >>> <http://domain.com/ >>> >>>> on it and not www.domain.com >>> >>> <http://www.domain.com/ >>> >>>> (multi-site cert). >>> >>> That’s not a reason to lower a score on security. >>> >> >> The only way I can make sense of your sentence is that they are dinging you >> for having a certificate that does not match the name of the site you are >> visiting because one has "www." and the other does not. That seems to be >> reasonable for them to ding you. >> >> > Vick, > > Qualys *does* take off points if you have a certificate for your "bare" > domain name without it having "www" as an alternate name. For example, a > certificate for 'example.com <http://example.com/>' that doesn't work for > 'www.example.com <http://www.example.com/>' is > penalized, even if it is really only used for 'example.com > <http://example.com/>'. > > I believe that the reason they do this is because they assume that people > always have their sites set up so that www redirects to bare, bare > redirects to www, or both bare and www show the same content. While this > may not always be true, it is an assumption that Qualys and many other > people make, so it is included in the grade.
Sure but if you try to load www.domain.com <http://www.domain.com/> it sends you to the clean domain immediately. I am not testing www.domain.com <http://www.domain.com/> - I am testing domain.com <http://domain.com/> and there’s no evidence they’re trying to load www.domain.com <http://www.domain.com/>, only reading the certificate and seeing it doesn’t cover it. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold