Can't Find the Issues with a Site

[jwilkinsusaid]

I can't seem to find the issues Pulse is reporting with the following site: accqpub.usaid.gov

I ran it through SSL Labs and it seems to check out. https://www.ssllabs.com/ssltest/analyze.html?d=accqpub.usaid.gov&hideResults=on

Could someone let me know why there's a discrepancy? The site does an immediate redirect but it seems like SSL Labs and Pulse would read the same thing.

Thanks, James

[konklone]

@jwilkinsusaid I think the reason is that the immediate redirect is to an http:// URL:

$ curl --head https://accqpub.usaid.gov
HTTP/1.1 302 Moved Temporarily
Server: Day-Servlet-Engine/4.1.24 
Date: Thu, 19 Apr 2018 21:29:19 GMT
Location: http://accqpub.usaid.gov/index.html
Strict-Transport-Security: max-age=31536000; includeSubDomains

SSL Labs doesn't care about redirect downgrades, to my knowledge (and even if it did, it might take the HSTS policy that was set during the original response and apply it to the redirect).

However, Pulse does care about this, and it dings HTTPS sites that do a redirect "down" to http:// before redirecting back "up" to https://. If you fix the redirect destination to use https://, it should fix your standing in Pulse.

[jwilkinsusaid]

@konklone Very helpful, thanks!