#3753: dev.mutt.org: redirect http to https
-------------------------+----------------------
Reporter: ilf | Owner: mutt-dev
Type: enhancement | Status: new
Priority: major | Milestone:
Component: doc | Version:
Keywords: |
-------------------------+----------------------
dev.mutt.org is available as both http and https.
Having both available can reveal login information and session cookies
from https over an incidential http connection.
Also, [https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-
text/ plaintext is actively used as an attack vector]:
> Thus far we have provided two examples of commercial tools that have
widely proliferated and that enable purchasers (for a fee) to exploit
clear-text traffic in some of the most popular sites on the web.
> In order for network injection appliances to function, they rely on the
fact that popular websites will not encrypt all of their traffic. In order
to mitigate these types of attacks, we suggest that providers serve all
content over TLS, and provide end-to-end encryption wherever possible. The
use of HSTS and certificate pinning is also strongly recommended.
So let's just default to HTTPS and let HTTP redirect to it.
According to the HTTP header, the webserver is "Apache/2.2.22 (Ubuntu)".
THe !BetterCrypto project recommends the following config for that:
{{{
<VirtualHost *:80>
Redirect permanent / https://SERVER_NAME/
</VirtualHost>
}}}
https://git.bettercrypto.org/ach-
master.git/blob/HEAD:/src/configuration/Webservers/Apache/hsts-vhost
(While on it, www.mutt.org could use some HTTPS, too :)
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3753>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
