Broken http => https redirect handling

Question

Broken http => https redirect handling

alokmenghrajani opened this issue 5 years ago · comments

Sorry if I'm reporting this issue in the incorrect place. Hopefully you can help me route it.

http://www.evote-ch.ch/vd incorrectly redirects to https://doc.evote-ch.chvd (note the lack of slash between ch and vd).

If an attacker is able to purchase the chvd top level domain (very unlikely), they could theoretically compromise the election process.

$ curl -v 'http://www.evote-ch.ch/vd'
*   Trying 160.53.75.136...
* TCP_NODELAY set
* Connected to www.evote-ch.ch (160.53.75.136) port 80 (#0)
> GET /vd HTTP/1.1
> Host: www.evote-ch.ch
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 28 Jan 2019 07:21:27 GMT
< Location: https://doc.evote-ch.chvd
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: TS01e3dc2d=0175768efa8072e65a48d44dfa6c49612c22053b2e1ee970b4397f6c52294d0bf01bf66d65e1a81ae78af0e5c9a493202ec2f7d145; Path=/
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://doc.evote-ch.chvd">here</a>.</p>
</body></html>
* Connection #0 to host www.evote-ch.ch left intact
$

État de Genève - CHVote · Answer 1 · Tue Jan 29 2019 17:46:50 GMT+0800 (China Standard Time)

Hi, thank you very much for your valuable input ! We are working right now on finding the right fix and to plan its deployment without risking any disruption of the service.

Kind regards

État de Genève - CHVote · Answer 2 · Mon Feb 04 2019 23:05:48 GMT+0800 (China Standard Time)

Hi, the broken redirection has been fixed.