On 29.07.2015 18:02, Vick Khera wrote: > On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz <[email protected]> wrote: > >> Again, I agree with you that this shouldn't affect your score. I am >> simply explaining why they do it. > based on this explanation, i agree. there's no reason for them to demand > your certificate also signs any other domain name as long as it signs the > one to which they are connecting and testing. Hi, the reason why it affects your score is simple: 1. client makes a request to https://www.example.net =>if it does not redirect to https://example.net the checks stops here. All ist OK =>if your server responds with a redirect to https://example.net, it does it with an untrusted certificate. Untrusted, because the server certificate is not certificated to be used from www.example.net.
So you have 3 options: 1. disable redirection of https://www to https://bare (probably not what you wish) 2. give your https://www server a valid certificate, so that the redirect is trust-worthy (as done by https://www.web.de, that points to https://web.de) 3. if it is the same server, but only a separed config, you probably should get a certificate with CN:www.example.net and ALT-Names: DNS: www.example.net and DNS: example.net (example: https://xmodus-systems.de redirects to https://www.xmodus-systems.de, the cert is valid for both) Again: the connection to the https://www.example.net is technical not ok for shure. But this you probably already know. Now "why does qualys check also the www.?": Qualys check this option for bare domains, because many users worlwide use to prefix www. on every domain without thinking about (bad habit). If the www. domain does not belong to you it is a potential risk that your customers think they are accessing your site but in real it is a possible "man-in-the-midle" side. => Security is not only a technical issue, but must also take account of human bad habits. Best regards, Claudio -- Working on OpenWrt CC for Xmodus GSM Router XM1710E <http://www.xmodus-systems.de/openwrt> _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
