Another "not fully secured"


#1

My domain is:https://decepticon.pl/

Its installed properly (i think) and still shows that the domain is not fully secured. Can anyone give me the tip why?


#2

Hi @Dushnik

checked your domain (via https://check-your-website.server-daten.de/?q=decepticon.pl ):

Domainname Http-Status redirect Sec. G
http://www.decepticon.pl/
193.218.152.246 301 http://decepticon.pl/ 0.630 D
http://decepticon.pl/
193.218.152.246 200 0.677 H
https://www.decepticon.pl/
193.218.152.246 301 https://decepticon.pl/ 2.470 B
https://decepticon.pl/
193.218.152.246 200 2.680 B

The main configuration is ok. Both connections are secure. The certificate

CN=decepticon.pl
	01.03.2019
	30.05.2019
expires in 89 days	decepticon.pl, www.decepticon.pl - 2 entries

has both domain names, that’s good. Perhaps change some small things, the redirects are D / H (missing redirect).

But: The domain has a Grade I - Content problems - mixed content, missing files etc.

http://decepticon.pl/wp-content/uploads/2019/02/eset-autoryzowany-partner-logotyp-pion-1000px-300x163.png
http://decepticon.pl/wp-content/uploads/2019/02/logo-300x197.png

is mixed content. Change these to https - links.


#3

Thank you very much for fast reply. Strange thing. I changed all photos on my site to https urls as you suggested but now my site is H rated ;/ It is fully protected now i think but on https://check-your-website.server-daten.de/?q=decepticon.pl it is worst now :slight_smile:


#4

What the *** does that mean?


#5

On @JuergenAuer’s site this rating means that the HTTP version of the site fails to redirect to HTTPS, so users who just type the site name into their browser (rather than following a secure link) will continue to use the site over the insecure connection.

@Dushnik, the rating system may be a bit confusing (this isn’t really something that’s standardized at all across rating sites), but your change did make things better. It just prompted the site to focus on complaining about something else that was already a problem before.

I’m sure that “H” looks worse than “D” (because letter grades later in the alphabet are normally worse), but in this system it’s just a different, specific problem. If you can make http://decepticon.pl/ redirect users to https://decepticon.pl/, this problem will go away too.


#6

Your Grade H is better then I. I was mixed content, so my FireFox showed a warning.

And H is simple - no encryption. If you have a website, you don’t know which url is used. And if http://decepticon.pl/ is used, there is no redirect.

The problem: Browsers cache redirect (www -> non-www or inverse) and prefer https. So it’s impossible to test with a browser, if all 4 versions (http + https, non-www + www) are correct: 3 Redirects, one https result, no loops, no wrong redirect.

That was the first idea when I started that tool.

The ranking system is on the first page - the left column.

If it is your first certificate, H is the first Grade which is ~~ ok. But if you want do do things better, Grade B should be possible.

First redirect http -> https without a new dns query, so http+non-www -> https+non-www, same with www. Then prefer one version (non-www or www-version) and add a redirect non-preferred -> preferred. That’s Grade B. Then all users have the same encrypted version.


#7

The first idea was simple - Grade A - D. Then I startet that tool - and found a lot of different things. So new Grades were added. End 2018-11 there were 19 Grades. And I thought, it would be ready.

Then followed own dns queries, nameserver checks, DNSSEC, ipv6, mixed content, EDNS, ports, ip-addresses, folders.

Main source of new ideas: This forum and the results of checks.


#8

Thanks!

Yep, the ranking system is my own idea, not a standard. But there are a lot of users who start with N (certificate not valide) or have a misconfiguration (http over port 443). They test, change, later they have E. They test again -> B or A.

The rule “http -> https without a new dns query” is from the Google preload site:

https://hstspreload.org/

Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.


#9

Thanks again :slight_smile: Now i’m on B rating :wink: Still something not perfectly good :wink:
I had http -> https redirection before but now i changed it to another (.htaccess). I’m not good in www/ssl subjects so i’m testing google answers. After changing .htaccess to another google advice now it’s B. But i don’t know what is “Missing HSTS-Header” but if B is still ok than i will stay where I am :slight_smile:


#10

Yep, now your 4 standard urls have 3 redirect and one https - destination.

Domainname Http-Status redirect Sec. G
http://decepticon.pl/
193.218.152.246 301 https://decepticon.pl/ 0.037 A
http://www.decepticon.pl/
193.218.152.246 301 https://www.decepticon.pl/ 0.037 A
https://www.decepticon.pl/
193.218.152.246 301 https://decepticon.pl/ 2.513 B
https://decepticon.pl/
193.218.152.246 200 2.526 B

So every user sees the last version - https + non-www.

See the result of other site-checks with Grade A. That’s a Strict-Transport-Security-Header

Strict-Transport-Security: max-age=63072000

But if you have such a header and a wrong certificate, users can’t create an exception. So HSTS requires an always working certificate.

So if this is your first certificate, wait, if the next renew works as expected.


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.