http://openal.org doesn't redirect to https://openal.org

[Benjamin-Loison]

While http://openal.org is returning the website content.

[NuclearMonster]

Sorry, I don't see the issue with this one?

[Benjamin-Loison]

I'm not an expert with HTTPS and HSTS. There are binaries on the website which could to some extent (see below) be maliciously modified by a man-in-the-middle involving the execution of arbitrary code on the downloader and executor computer. For instance just naively typing openal.org in the URL bar of a modern web-browser such as Chromium make us retrieve the content of the webpage with the unencrypted HTTP protocol.

By denying serving HTTP content and properly redirecting HTTP requests to HTTPS and properly configuring HSTS, then after the first visit of a visitor on the website, he won't be attackable anymore by a man-in-the-middle (The protection only applies after a user has visited the site at least once, relying on the principle of "trust on first use".).

[NuclearMonster]

The functionality seems to be the same as icculus.org so at this time I don't believe we will change OpenAL.org to redirect to https but it's a good thing to double check so thank you for the report.