[Hanziq] Download links redirect to insecure HTTP
Posted: Wed Jul 05, 2017 1:28 pm
I noticed when looking at some server auto update scripts that the downloads get redirected to plain HTTP, which may be tampered with.
https://www.factorio.com/ forces itself to HTTPS (HSTS) which is good, with the download links being things like https://www.factorio.com/get-download/0 ... ss/linux64
But then that request returns this:
https://www.factorio.com/ forces itself to HTTPS (HSTS) which is good, with the download links being things like https://www.factorio.com/get-download/0 ... ss/linux64
But then that request returns this:
https://eu2.factorio.com/releases/facto ... 1499258386 does work for me so the server is set up for HTTPS.HTTP/1.1 302 FOUND
Connection: close
Server: gunicorn/19.7.0
Date: Wed, 05 Jul 2017 12:29:46 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 445
Location: http://eu2.factorio.com/releases/factorio_headless_x64_0.14.23.tar.gz?key=w7r9xKQWe50cJjDU6dJP4Q&expires=1499258386
Strict-Transport-Security: max-age=31536000
Set-Cookie: ...; HttpOnly; Path=/
Via: 1.1 vegur