lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAE5Wca2YSPOYZA+pEetLBCjJLTMYrGQZLLZO1_fmFaS3JmC=wA@mail.gmail.com>
Date: Wed, 20 Jan 2016 11:24:02 -0200
From: Ricardo Iramar dos Santos <riramar@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] mobile.facebook.com is not on HSTS preload list or sending the
 Strict-Transport-Security header

Hi All,

I've noticed that mobile.facebook.com domain is not on HSTS preload
list or sending the Strict-Transport-Security header. All the others
domains like m.facebook.com is using HSTS properly.
I reported this to Facebook on 12/3/15 through the whitehat program
and got the answer below. I've checked again today and it still not
using HSTS. Not sure why Facebook is not protecting this domain with
HSTS.

   Hi Ricardo,
   Thank you for sharing this information with us. Although this issue
does not qualify as a part of our bounty program we appreciate your
report. We will follow up with you on any security bugs or with any
further questions we may have.
   Thanks,

   Angelo
   Security
   Facebook

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ