Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

HTTP Strict Transport Security[1] is designed specifically to prevent that attack. Unfortunately, Linode's manager doesn't seem to use it:

    $ curl -I https://manager.linode.com/
    HTTP/1.1 200 OK
    Server: nginx/0.7.65
    Date: Tue, 07 May 2013 16:23:07 GMT
    Content-Type: text/html;charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
If they were, there would be a line like this:

    $ curl -sI https://github.com | fgrep Strict
    Strict-Transport-Security: max-age=2592000
Which tells the browser, for the next 2592000 seconds (30 days), only request github.com over HTTPS, never HTTP.

Not sure why Linode isn't using HSTS — lack of awareness? The super-old version of Nginx is also a little scary.

[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security



Nginx 0.7.65 is packaged by Ubuntu for 10.04 LTS. Should still get security updates.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: