jakesays-old
commented
5 years ago This isn't an issue because http:/ redirects to https:/ for the urls in question.
Closed NickCraver closed 5 years ago
jakesays-old
commented
5 years ago This isn't an issue because http:/ redirects to https:/ for the urls in question.
NickCraver
commented
5 years ago It is an issue, because someone can intercept and change that redirect. The only mitigation for such (short of changing the link) is HSTS preloading. That domain is not on the HSTS preload list nor is it even sending the header.
jakesays-old
commented
5 years ago Intercept it how?
On Sun, Nov 18, 2018, 2:27 PM Nick Craver <notifications@github.com wrote:
It is an issue, because someone can intercept and change that redirect. The only mitigation for such (short of changing the link) is HSTS preloading https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security. That domain is not on the HSTS preload list https://hstspreload.org/ nor is it even sending the header.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/referencesource/issues/87#issuecomment-439727277, or mute the thread https://github.com/notifications/unsubscribe-auth/ABKFbf7f9KnSfHDr0zL-Wr4uZlgLPh7Sks5uwdDQgaJpZM4YoIlj .
NickCraver
commented
5 years ago I don't think it's necessary to get into "why https://?" here in the issue - that's just another copy of the discussion on the internet. sslstrip is one example (of many). But anyone in control of your connection or DNS (e.g. any public WiFi) can send the connection where they want. Or any malicious browser extensions (e.g. Chrome store buyouts), etc. The point is: there are lots of ways. If you're curious, search for http => https hijacking to see many examples.
The basics are: you can't have a secure connection to anything if first hopping through an insecure one. This redirect is no different.
terrajobst
commented
5 years ago The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as
http://referencesource.microsoft.com/when everything has moved tohttps://now. Can we please update this setting to https://referencesource.microsoft.com/?
Which setting are you referring to?
terrajobst
commented
5 years ago After @NickCraver explained it to me, I was able to fix this :-)
The setting for the repo here (home link: https://github.com/Microsoft/referencesource) has the website site as
http://referencesource.microsoft.com/when everything has moved tohttps://now. Can we please update this setting to https://referencesource.microsoft.com/?