v6.ifconfig.co about echoip HOT 7 CLOSED

Yes? It looks like somebody was careless with HSTS?

from echoip.

https://v6.ifconfig.co/

Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

v6.ifconfig.co uses an invalid security certificate.
The certificate is only valid for the following names: atbapi.tar.io, git.tar.io, tar.io
Error code: SSL_ERROR_BAD_CERT_DOMAIN

from echoip.

@k0nsl - HSTS not available now

$ curl -sik https://v6.ifconfig.co
HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 14 Jul 2016 20:11:32 GMT
Content-Type: application/json
Content-Length: 51
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *

{
  "status": 404,
  "message": "route not found"
}

Bad frontend/balancer config?

from echoip.

HTTPS is not supported for v6.ifconfig.co. Please see #15 and #18.

from echoip.

But HSTS Preloading Chrome Edge Firefox IE Not in: Tor
of SSLlabs SSL Report in 2001:16d8:ee03::cafe:d00d aka ifconfig.co
create this torouble
@k0nsl assertion partly true
enough to force a single request http to https routes inside the browser, as I think

from echoip.

@gema-arta Yes, HSTS was mistakenly turned on in the past, and it is on for ifconfig.co, but not for v6.ifconfig.co.

from echoip.

I found one problem. The vhost for ifconfig.co was incorrectly adding includeSubdomains in the HSTS header, causing HSTS to be enabled for v6.ifconfig.co as well. This has now been fixed.

Before:
`Strict-Transport-Security: max-age=31536000; includeSubdomains; preload``

After:
Strict-Transport-Security: max-age=31536000; preload

from echoip.