[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cve.mitre.org website is down due to SSL error

On second thought changing the SSL cert would be a better user 
experience because browsers would not issue warnings, and it would be 
bad for people to get used to SSL warnings when accessing the site.  I 
think there should still be a redirect though...

Pascal

On 02/04/2016 04:39 AM, Pascal Meunier wrote:
> Interesting.  All links on the site are to cve.mitre.org, the cert is
> valid for cve.mitre.org (and others).  AFAIK that's always been the
> case, and cve.mitre.org is the correct URL.  I don't know why some
> people link to www.cve.mitre.org instead.  The service is rated "A" by
> Qualys labs:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=cve.mitre.org&s=198.49.146.233&latest
>
> https://www.ssllabs.com/ssltest/analyze.html?d=cve.mitre.org&s=192.52.194.135
>
>
> As it's an Apache server, people using the wrong URL with https could be
> redirected automatically to the correct one with something like this for
> HTTPS connections:
>
>          RewriteCond     %{HTTP_HOST}    www.cve.mitre.org($|:443) [NC]
>          RewriteRule     ^/(.*)          https://cve.mitre.org/$1 [L,R]
>
> That seems like a better solution than removing www.cve.mitre.org from
> DNS and expecting people to fix their incorrect links, or changing the
> SSL cert.
>
> Pascal
>
> On 02/03/2016 07:13 PM, Kurt Seifried wrote:
>> Attackers might be trying to steal your information from
>> www.cve.mitre.org
>> (for example, passwords, messages, or credit cards).
>> NET::ERR_CERT_COMMON_NAME_INVALID
>>
>> specifically it seems to think it is msm.mitre.org and/or taxii.mitre.org
>> right now?
>>
>
Page Last Updated or Reviewed: February 11, 2016