Hi I just ran into this: If you search something using the form on top in https://www.debian.org/ or other sites on www.debian.org the search query will be sent unencrypted over plain HTTP. The reason is that the HTML form element has this property: action="http://search.debian.org/cgi-bin/omega"; This might not be what the user expects (HTTPS sites should query over HTTPS) and may lead to warnings by the browser.
I tried using the protocol-independent version by modifying the HTML to a protocol-independent version action="//search.debian.org/cgi-bin/omega" which works fine in Firefox and WebKit and doesn't leak the query any more. Now I ran into a new problem: https://search.debian.org/ provides an invalid SSL certificate (it is only valid for host names debian.org and www.debian.org, Error code: ssl_error_bad_cert_domain). Even if I do this it does not work since search.debian.org delivers different sites depending on whether it is connected to by HTTP or HTTPS: http://search.debian.org/cgi-bin/omega?DB=en&P=something delivers a result site, https://search.debian.org/cgi-bin/omega?DB=en&P=something delivers an error page ("Page not found"). Regards Chris
signature.asc
Description: This is a digitally signed message part
