[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: cve.mitre.org website is down due to SSL error
On second thought changing the SSL cert would be a better user
experience because browsers would not issue warnings, and it would be
bad for people to get used to SSL warnings when accessing the site. I
think there should still be a redirect though...
Pascal
On 02/04/2016 04:39 AM, Pascal Meunier wrote:
> Interesting. All links on the site are to cve.mitre.org, the cert is
> valid for cve.mitre.org (and others). AFAIK that's always been the
> case, and cve.mitre.org is the correct URL. I don't know why some
> people link to www.cve.mitre.org instead. The service is rated "A" by
> Qualys labs:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=cve.mitre.org&s=198.49.146.233&latest
>
> https://www.ssllabs.com/ssltest/analyze.html?d=cve.mitre.org&s=192.52.194.135
>
>
> As it's an Apache server, people using the wrong URL with https could be
> redirected automatically to the correct one with something like this for
> HTTPS connections:
>
> RewriteCond %{HTTP_HOST} www.cve.mitre.org($|:443) [NC]
> RewriteRule ^/(.*) https://cve.mitre.org/$1 [L,R]
>
> That seems like a better solution than removing www.cve.mitre.org from
> DNS and expecting people to fix their incorrect links, or changing the
> SSL cert.
>
> Pascal
>
> On 02/03/2016 07:13 PM, Kurt Seifried wrote:
>> Attackers might be trying to steal your information from
>> www.cve.mitre.org
>> (for example, passwords, messages, or credit cards).
>> NET::ERR_CERT_COMMON_NAME_INVALID
>>
>> specifically it seems to think it is msm.mitre.org and/or taxii.mitre.org
>> right now?
>>
>