misconfigured redirections on https://lists.gnupg.org

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 11 06:07:49 CEST 2015 

Most web servers will redirect by adding a trailing slash if one was
missing from the URL.

https://lists.gnupg.org/ does a peculiar broken redirection when looking
at the pipermail archives.

Consider the difference between the two URLs:

X  https://lists.gnupg.org/pipermail/gnupg-devel/2015-August
Y  https://lists.gnupg.org/pipermail/gnupg-devel/2015-August/

X should get redirected to Y, but instead it gets redirected to a
service on a non-active port entirely:

http://lists.gnupg.org:8002/pipermail/gnupg-devel/2015-August/

(see wget log below)

This transitions from https to http, even, which means that the response
could be forged by a network attacker, which would be strange (and in
contradiction to the HSTS header provided).

please let me know if there's a better place to report this than
gnupg-devel.

Regards,

        --dkg

0 dkg at alice:/tmp/cdtemp.3U28xU$ wget -O/dev/null -S --progress=dot https://lists.gnupg.org/pipermail/gnupg-devel/2015-August
--2015-08-11 00:03:11--  https://lists.gnupg.org/pipermail/gnupg-devel/2015-August
Resolving lists.gnupg.org (lists.gnupg.org)... 217.69.76.57, 2001:aa8:fff1:2100::57
Connecting to lists.gnupg.org (lists.gnupg.org)|217.69.76.57|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 301 Moved Permanently
  Date: Tue, 11 Aug 2015 03:55:41 GMT
  Strict-Transport-Security: max-age=31536000
  Accept-Ranges: bytes
  Connection: close
  Content-Type: text/html; charset=ISO-8859-1
  Location: http://lists.gnupg.org:8002/pipermail/gnupg-devel/2015-August/
Location: http://lists.gnupg.org:8002/pipermail/gnupg-devel/2015-August/ [following]
--2015-08-11 00:03:11--  http://lists.gnupg.org:8002/pipermail/gnupg-devel/2015-August/
Connecting to lists.gnupg.org (lists.gnupg.org)|217.69.76.57|:8002... failed: Connection refused.
Connecting to lists.gnupg.org (lists.gnupg.org)|2001:aa8:fff1:2100::57|:8002... failed: Network is unreachable.
Resolving lists.gnupg.org (lists.gnupg.org)... 217.69.76.57, 2001:aa8:fff1:2100::57
Connecting to lists.gnupg.org (lists.gnupg.org)|217.69.76.57|:8002... failed: Connection refused.
Connecting to lists.gnupg.org (lists.gnupg.org)|2001:aa8:fff1:2100::57|:8002... failed: Network is unreachable.
4 dkg at alice:/tmp/cdtemp.3U28xU$ 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150811/2855707d/attachment.sig>

More information about the Gnupg-devel mailing list