On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman <[email protected]> wrote:
> > > On Jul 28, 2015, at 2:50 PM, Moshe Katz <[email protected]> wrote: > > > > On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera <[email protected] <mailto: > [email protected]>> wrote: > > > >> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman <[email protected]> > >> wrote: > >> > >>> I have an issue with Qualy’s: They ding my certification because I have > >>> domain.com > >>> > >>> <http://domain.com/ > >>> > >>>> on it and not www.domain.com > >>> > >>> <http://www.domain.com/ > >>> > >>>> (multi-site cert). > >>> > >>> That’s not a reason to lower a score on security. > >>> > >> > >> The only way I can make sense of your sentence is that they are dinging > you > >> for having a certificate that does not match the name of the site you > are > >> visiting because one has "www." and the other does not. That seems to be > >> reasonable for them to ding you. > >> > >> > > Vick, > > > > Qualys *does* take off points if you have a certificate for your "bare" > > domain name without it having "www" as an alternate name. For example, a > > certificate for 'example.com <http://example.com/>' that doesn't work > for 'www.example.com <http://www.example.com/>' is > > penalized, even if it is really only used for 'example.com < > http://example.com/>'. > > > > I believe that the reason they do this is because they assume that people > > always have their sites set up so that www redirects to bare, bare > > redirects to www, or both bare and www show the same content. While this > > may not always be true, it is an assumption that Qualys and many other > > people make, so it is included in the grade. > > Sure but if you try to load www.domain.com <http://www.domain.com/> it > sends you to the clean domain immediately. I am not testing www.domain.com > <http://www.domain.com/> - I am testing domain.com <http://domain.com/> > and there’s no evidence they’re trying to load www.domain.com < > http://www.domain.com/>, only reading the certificate and seeing it > doesn’t cover it. > Ryan, That is *exactly* what I said. They *don't* check whether you are redirecting, and they *don't* try to load the www version. They naively assume that the same certificate *must* cover both of those names because they assume you are redirecting one to the other. There is one reason that it matters, even in your case. Take the following four URLs: - http://domain.com/ => redirects to SECURE on SAME DOMAIN - http://www.domain.com/ => redirects to SECURE on BARE DOMAIN - https://domain.com/ => the actual site - https://www.domain.com/ => SHOULD redirect to SECURE on BARE DOMAIN You have handled the first three of them - but not the fourth one. Instead of getting a redirect, you will get a certificate error. I don't know how you have configured your server - you may not even be listening for secure connections on the WWW subdomain. However, Qualys assumes that you are redirecting in that fourth case *and that you are using the same certificate to do it*, so they are testing for whether your certificate covers for it. Again, I agree with you that this shouldn't affect your score. I am simply explaining why they do it. Moshe -- Moshe Katz -- [email protected] -- +1(301)867-3732 _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
