Open Quantum Safe
HSTS on test.openquantumsafe.org #2062
catharsis71
started this conversation in
General
Replies: 1 comment
-
|
@bhess Are you able to look at this? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The test.openquantumsafe.org main site (port 443) sets a
Strict-Transport-Securityheader which (among other things) tells browsers to not allow certificate trust errors to be bypassed by the userOrdinarily that's a good thing but all the individual test sites such as https://test.openquantumsafe.org:6002/ use certificates from a private CA, and if the browser has already visited port 443 and cached the HSTS header, then the browser won't allow clicking through the trust errors. But if the browser hasn't visited port 443 first, it will be able to click through the trust error, because the individual test sites don't set the HSTS header.
I know I could make the browser trust your ca.crt but that's a lot more work plus it would have to be undone afterward for safety.
Would you consider removing the
Strict-Transport-Securityheader from https://test.openquantumsafe.org/ ?Beta Was this translation helpful? Give feedback.
All reactions