TLS on https://app.asta-bochum.de/

[MixColumns]

https://app.asta-bochum.de/termine/liste/ and https://app.asta-bochum.de/ are both marked as unsecure as external ressources are loaded with http instead of https. It would be nice to include the ressources via https.

Additionally the chain contains the anchor cert which shouldnt happen, TLS 1.0 and 1.1 are still supported even though they are outdated and there is support for weak TLS 1.2 Ciphers. Also it would be nice to see DNS CAA in use (see https://datatracker.ietf.org/doc/html/rfc6844).

[domai-tb]

Can you please specify where the URLs you mentioned are accessed without encryption? I am not aware of any place in the current release where we use HTTP instead of HTTPS and a search in the code did not reveal anything.

The outdated TLS versions are currently still supported for reasons of downward compatibility. I agree with you that ideally we should only use TLS 1.3. We are looking into this.

[MixColumns]

The insecure requests are not from within the app but from the website that loads ressources without https from the webserver e.g. http://app.asta-bochum.de/wp-content/uploads/2022/11/back-icon.png instead of https://app.asta-bochum.de/wp-content/uploads/2022/11/back-icon.png when rendering the content causing a browser warning.

[MixColumns]

i assume the reason is that the webserver rewrites http tp https using a htaccess file instead of using proper hsts

Even though the 301 redirects to https the initial request is http instead of https causing the browser to dislike it showing the connection as not secure

[MixColumns]

Windows has 1.0 disabled by default now afak and check the dates https://de.wikipedia.org/wiki/Transport_Layer_Security#Versionen they are eol already and 1.3 is available since 2018. i dont think there is a need to keep the older versions running

[henry-herrmann]

External sources are now loaded using https, HSTS header is now set and the website now uses TLS 1.3 and 1.2.