no clean HSTS-Preload / DNSSEC

Website
2

Thank you for reporting this!

Archived link to document progress, if any.

I am inclined to ignore this unless someone has an argument why it is an actual issue.
Reason: no actual security issue for anyone.
In case of:

  • in case of no MITM: browser will ignore the HSTS header
  • in case of MITM: the MITM can inject whatever malicious HSTS header
    since this is over an unencrypted/unauthenticated http connection (this is about the http version (non-TLS) (stub to redirect to https / TLS)).

Also…

  • In case browser honors HSTS preload list: this wouldn’t happen anyhow
  • In case browser ignores HSTS preload list: then whatever the clearnet version headers are cannot help anyhow

It might be counter to some standard but I don’t see how it helps. It would complicate server nginx config for minimal gain (namely making a test website happy).

This seems a bit pointless to me to redirect http://whonix.org (which we don’t use - whonix.org currently doesn’t use the non-subdomain, main domian) except for redirect to https://whonix.org to only then redirect to https://www.whonix.org. That would be a double redirect and make the website slower for those who just type whonix.org. Other test websites focused on website performance would complain about the double redirect.

Similar as above.

  • In case browser honors HSTS preload list: then we don’t have a problem - first visit will use https (TLS) version even if user typed http (cleartext) version whonix.org
  • In case browser ignores HSTS preload list: then nothing helps anyhow.

This policy appears to already be preloaded (or pending), but it doesn’t satisfies preloading requirements. Because this is an older preload entry there is currently no danger of being removed from the list, but that might change in the future. We recommend that you update your policy to match what is preloaded.

I will apply advice from
Strict-Transport-Security - HTTP | MDN
which contains the preload keyword.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Previously when we required manually by e-mail or mailing list (forgot) years ago to be included on HSTS preload list there was no such keyword. Nowadays there is. Will add soon to be future proof.

This one I don’t know and can only be fixed on gandi site. Dunno they’ll agree this is an issue. Could you contact them please?

Please scrutinize this. @HulaHoop

1 Like