WebBotAuth.net

Directory served over HTTPS

The directory URL must use the HTTPS scheme; a plaintext HTTP URL fails.

What this check verifies

The Web Bot Auth directory carries the public keys a verifier uses to check your signatures. This check looks at the resolved directory URL, after any redirects, and confirms it uses the https:// scheme. A http:// URL fails.

The check is on the scheme alone. It does not prove the body was served correctly; the reachability, media type, and JSON checks cover that. It only confirms the transport is encrypted.

Why it matters

The directory is the trust anchor for every signature you send. If a verifier fetches it over plaintext HTTP, anyone on the network path can rewrite the response in transit: swap your public keys for their own, then sign requests that verify against the keys they injected. The signature mechanism is then worthless, because the attacker controls the keys it is checked against.

HTTPS closes that gap. It authenticates the server and protects the response from tampering, so a verifier can trust that the keys it fetched are the keys you published. The web-bot-auth directory draft requires the well-known path to be served over HTTPS for this reason.

A plaintext redirect is the same problem. If your HTTPS URL redirects through an http:// hop, the response is exposed on that hop, so the final scheme is what counts here.

How to fix it

  1. Serve the directory over HTTPS with a valid certificate. The well-known path is https://<your-host>/.well-known/http-message-signatures-directory.
  2. Reference the HTTPS URL everywhere your agent advertises it, including the Signature-Agent header it sends.
  3. If you redirect from a bare or canonical host, keep every hop on HTTPS. Do not bounce through a plaintext URL.

The usual cause is an agent or configuration that still points at an http:// URL, or an HTTP-to-HTTPS redirect chain that passes through a plaintext intermediate. Confirm the final resolved URL starts with https://.

References

  • RFC 7517 defines the JSON Web Key Set the directory serves.
  • The web-bot-auth directory draft (draft-meunier-http-message-signatures-directory) specifies the HTTPS well-known endpoint.
  • How grading works explains how the directory tier affects the grade.

How the checker scores this

Tier
JWKS directory
Role
Authoritative. Failing this can lower the grade ceiling or change the verdict.
Grade cap
Failing caps the grade at D (Directory not reachable over HTTPS).
Point deduction
A failure deducts 25 points; a warning deducts 6.

How grading works