2018 Honda Accord Forum banner

1 - 3 of 3 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hello, I just want to advise that this site lacks TLS (HTTPS) and this should be a concern for user safety and privacy. Interactive web applications such as web forums should default to HTTPS, especially considering folks tend to reuse their passwords on multiple websites.

I do see that the web service listens on port 443 but does not negotiate a connection successfully:

Code:
~ $ nmap -p 80,443 www.accordxclub.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-21 14:33 PDT
Nmap scan report for www.accordxclub.com (35.186.236.242)
Host is up (0.015s latency).
rDNS record for 35.186.236.242: 242.236.186.35.bc.googleusercontent.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Code:
~ $ curl -IL https://www.accordxclub.com
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.accordxclub.com:443
Also note that the HTTP app endpoint does not redirect to a HTTPS URL:

Code:
~ $ curl -IL http://www.accordxclub.com
HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 21 Apr 2018 21:39:35 GMT
Expires: Sat, 21 Apr 2018 21:39:35 GMT
Pragma: private
Server: Apache
Set-Cookie: bblastvisit=1524346775; expires=Sun, 21-Apr-2019 21:39:35 GMT; Max-Age=31536000; path=/
Set-Cookie: bblastactivity=0; expires=Sun, 21-Apr-2019 21:39:35 GMT; Max-Age=31536000; path=/
X-Cluster-Node: accordxclub-3865036746-q30c7
X-Topify-Platform: vb
X-Topify-T_s: adv_index
X-Ua-Compatible: IE=Edge,chrome=1
Via: 1.1 google
Transfer-Encoding: chunked
Contrast this behavior to a discussion board that does redirect HTTP to HTTPS traffic:

Code:
~ $ curl -IL http://community.letsencrypt.org
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://community.letsencrypt.org/
Connection: close

HTTP/2 200 
server: nginx/1.13.11
date: Sat, 21 Apr 2018 21:39:24 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-discourse-route: list/latest
cache-control: no-store, must-revalidate, no-cache, private
x-request-id: 998181a1-6646-499b-81a1-1bb2a088db90
x-runtime: 0.067907
referrer-policy: no-referrer-when-downgrade
discourse-proxy-id: app-router-tiehunter06
strict-transport-security: max-age=5184000
Please mitigate, thank you!
 

·
Registered
Joined
·
2 Posts
Discussion Starter #2 (Edited)
I see this has been fixed:

Code:
$ curl -IL http://www.accordxclub.com
HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=0
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 09 Jun 2018 22:23:13 GMT
Expires: Sat, 09 Jun 2018 22:23:13 GMT
Location: https://www.accordxclub.com/
Server: Apache
Via: 1.1 google
Transfer-Encoding: chunked

HTTP/2 200 
accept-ranges: none
cache-control: private, max-age=0
content-security-policy: upgrade-insecure-requests
content-type: text/html; charset=ISO-8859-1
date: Sat, 09 Jun 2018 22:23:13 GMT
expires: Sat, 09 Jun 2018 22:23:13 GMT
pragma: private
server: Apache
set-cookie: bbsessionhash=630a5c69f5c6b69a286cb2ea05b45685; path=/; HttpOnly
set-cookie: bblastvisit=1528582994; expires=Sun, 09-Jun-2019 22:23:14 GMT; Max-Age=31536000; path=/; secure
set-cookie: bblastactivity=0; expires=Sun, 09-Jun-2019 22:23:14 GMT; Max-Age=31536000; path=/; secure
strict-transport-security: max-age=3600; includeSubDomains
x-cluster-node: accordxclub-77845997c7-nsz2n
x-topify-platform: vb
x-topify-t_s: adv_index
x-ua-compatible: IE=Edge,chrome=1
via: 1.1 google
alt-svc: clear
Thank you for the appropriate response to this issue.
 

·
Administrator
Joined
·
69 Posts
HTTPS was always part of our plan and we are in the middle of adding it to all of our sites, however it just takes some time since we manage a lot of sites!

Please let us know if you continue to have any questions or concerns.

Cheers,

Erik
 
1 - 3 of 3 Posts
Top