I noticed that the downloads link on the webpage redirects to the HTTP version of the page. The server also downgrades the connection to HTTP even when HTTPS is explicitly requested.
Since the page hosts links to downloads, serving it over HTTP means the HTML and download links could be modified in transit by a network‑level attacker. Being hard-coded as http in the downloads.html page also prevents the browser from flagging the protocol downgrade to the user.
The main SimulationCraft site already supports HTTPS, so this is probably just an outdated or unintended server-side redirect rule.
I'll make a PR changing the HTML on the webpage to an HTTPS so that at least the downgrade will be flagged. The server‑side redirect from HTTPS → HTTP isn’t something I can change though, so that part would need to be handled separately if appropriate.
Thanks!
I noticed that the downloads link on the webpage redirects to the HTTP version of the page. The server also downgrades the connection to HTTP even when HTTPS is explicitly requested.
Since the page hosts links to downloads, serving it over HTTP means the HTML and download links could be modified in transit by a network‑level attacker. Being hard-coded as http in the downloads.html page also prevents the browser from flagging the protocol downgrade to the user.
The main SimulationCraft site already supports HTTPS, so this is probably just an outdated or unintended server-side redirect rule.
I'll make a PR changing the HTML on the webpage to an HTTPS so that at least the downgrade will be flagged. The server‑side redirect from HTTPS → HTTP isn’t something I can change though, so that part would need to be handled separately if appropriate.
Thanks!