Closed NickCraver closed 5 years ago
This isn't an issue because http:/ redirects to https:/ for the urls in question.
It is an issue, because someone can intercept and change that redirect. The only mitigation for such (short of changing the link) is HSTS preloading. That domain is not on the HSTS preload list nor is it even sending the header.
Intercept it how?
On Sun, Nov 18, 2018, 2:27 PM Nick Craver <notifications@github.com wrote:
It is an issue, because someone can intercept and change that redirect. The only mitigation for such (short of changing the link) is HSTS preloading https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security. That domain is not on the HSTS preload list https://hstspreload.org/ nor is it even sending the header.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/referencesource/issues/87#issuecomment-439727277, or mute the thread https://github.com/notifications/unsubscribe-auth/ABKFbf7f9KnSfHDr0zL-Wr4uZlgLPh7Sks5uwdDQgaJpZM4YoIlj .
I don't think it's necessary to get into "why https://?" here in the issue - that's just another copy of the discussion on the internet. sslstrip is one example (of many). But anyone in control of your connection or DNS (e.g. any public WiFi) can send the connection where they want. Or any malicious browser extensions (e.g. Chrome store buyouts), etc. The point is: there are lots of ways. If you're curious, search for http => https hijacking to see many examples.
The basics are: you can't have a secure connection to anything if first hopping through an insecure one. This redirect is no different.
The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as
http://referencesource.microsoft.com/
when everything has moved tohttps://
now. Can we please update this setting to https://referencesource.microsoft.com/?
Which setting are you referring to?
After @NickCraver explained it to me, I was able to fix this :-)
The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as
http://referencesource.microsoft.com/
when everything has moved tohttps://
now. Can we please update this setting to https://referencesource.microsoft.com/?