Hacker News new | comments | show | ask | jobs | submit login

Firstly, thanks to GitHub using HSTS on github.com (although not www.github.com), the certificate error will be fatal in Chrome and (I believe, but haven't checked) Firefox as long as you have visited GitHub previously.

(It's not preloaded HSTS so it would have to be learnt from a previous, unattacked connection.)

I know that the unbypassable errors for some sites upset the more technically minded people, but I think that incidents like this show its value.

The CloudShark trace shows what appears to be Firefox connecting to the GitHub IP address, but the server clearly isn't GitHub from the config. The server appears to be configured to accept the client's ciphersuite preference, but doesn't support DHE nor ECDHE.

The server is also only 9ms from the client - that's clearly not crossing any oceans. I'd also guess that the server is overloaded at the time because the ServerHello (which doesn't take significant processing to generate in this case) takes 900ms to come back.

Sadly, it appears to show the user overriding the certificate error and talking to the server anyway :( Hopefully that was a fresh FF install just to see what would happen (which would explain why HSTS didn't prevent the override).

Lastly, the certificate appears to be self-signed, but the Authority Key Id doesn't match. One assumes, based on "OpenSSL Generated Certificate" that OpenSSL was used, but the person may have had some trouble. I'd guess that they generated a CA certificate first (with the same Subject) and then signed the certificate in question as a leaf. Many of the tutorials that you'll find online are for that sort of setup so perhaps they weren't very familiar with X.509 certificates.

didn't know of HSTS, thanks.

where would one keep up with stuff like that other than keeping up with new rfc's?

I maintain a complete guide to SSL/TLS deployment:

SSL/TLS Deployment Best Practices https://www.ssllabs.com/projects/best-practices/

You may want to integrate some of the advice from here in your HSTS section:


It seems even github is susceptible to this. That is, for people who type www.github.com into their browser rather than github.com. They both did the redirect wrong, as well as left off HSTS of https://www.github.com.

agl's blog is a good source: http://www.imperialviolet.org/

OWASP has lots of useful security info, https://www.owasp.org

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact