Closed Bug 1543913 Opened 6 years ago Closed 6 years ago

Default Apache2 web page presented via http://tls13.crypto.mozilla.org/

Categories

(Websites :: Other, task)

Product:
Websites
Component:
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: hultdin, Assigned: franziskus)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Under certain conditions, i.e. when accessing tls13.crypto.mozilla.org via a http proxy with SSL/TLS inspection, you will get the default Apache2 web page servered over http. The redirect from http to https doesn't seem to work properly in all conditions. A default Apache2 web page may indicate a misconfigured service.

Flags: sec-bounty?

Could you describe the conditions a bit for me so that I can replicate it? Thanks!

I was able to reproduce the "error" using a relatively old version of Curl with no or limited support for TLS v1.3

% curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

% curl http://tls13.crypto.mozilla.org
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2014-03-19
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Ubuntu Default Page: It works</title>
<style type="text/css" media="screen">
...

It seems as if the redirect from http to https is failing or missing, if the first request is for the plain text http version the default Apache2 page gets returned. As soon as the https (TLS v1.3) version is requested the HSTS header makes it hard to get back to the plain text site.

I hope that this will help you to replicate the problem

/Magnus

I can verify this behaviour with curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0

I don't think this indicates a bigger misconfiguration, however thank you Magnus for bringing it to our attention. April, should we address this?

We should probably fix it, but I don't think it's that big of a security issue.

Hi,

I agree that it’s most likely not a big security issue, I just wanted you to know what I had found/observed.

/Magnus

:franziskus, absolutely no rush or anything (because I know you're out on leave), but when you get back this autumn and have some extra time, could you take a look at setting up a redirect here?

Thanks so much!

Assignee: nobody → franziskuskiefer
Group: websites-security
Flags: sec-bounty? → sec-bounty-

Server and domain have been shut down. There are enough TLS 1.3 servers out there now that this one isn't needed any longer.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.