Hi
I just ran into this:
If you search something using the form on top in https://www.debian.org/
or other sites on www.debian.org the search query will be sent
unencrypted over plain HTTP. The reason is that the HTML form element
has this property:
action="http://search.debian.org/cgi-bin/omega";
This might not be what the user expects (HTTPS sites should query over
HTTPS) and may lead to warnings by the browser.
I tried using the protocol-independent version by modifying the HTML to
a protocol-independent version
action="//search.debian.org/cgi-bin/omega"
which works fine in Firefox and WebKit and doesn't leak the query any
more.
Now I ran into a new problem: https://search.debian.org/ provides an
invalid SSL certificate (it is only valid for host names debian.org and
www.debian.org, Error code: ssl_error_bad_cert_domain).
Even if I do this it does not work since search.debian.org delivers
different sites depending on whether it is connected to by HTTP or
HTTPS: http://search.debian.org/cgi-bin/omega?DB=en&P=something delivers
a result site, https://search.debian.org/cgi-bin/omega?DB=en&P=something
delivers an error page ("Page not found").
Regards
Chris
Attachment:
signature.asc
Description: This is a digitally signed message part