Chris Thompson

Thanks for filing a bug. Are there specific headers you think BadSSL.com should use? I'm not sure any of these are relevant for us.

Hmm thinking about each of these: * X-Frame-Options: We don't really care if anyone frames us. There shouldn't be any phishing or clickjacking risk on any badssl.com pages, and no...

Good idea, especially now that Firefox is experimenting with autoupgrade as well. Maybe "mixed-no-upgrade.badssl.com" and it can include the image via http://http.badssl.com/resources/image.jpg instead (which downgrades HTTPS back to HTTP).

Thanks for the report. `untrusted-root` and `self-signed` should be replaced now, but `no-sct` and `revoked` are waiting on validation with our CA -- hopefully I can get those updated very...

* We've regenerated the revoked.badssl.com cert -- once it has been added to CRLSet I'll push the new cert live to the site. * `no-sct` should now be updated with...

The new certificate for `revoked.badssl.com` is now in Chrome's CRLSet and the server certificate has updated to match.

Thanks for the offer @BenWilson-Mozilla -- I've sent you an email to discuss further.

I have a goal to migrate the production server to a container as well, which I think would simplify this quite a bit. For now, it's a little complicated to...

#385 added bold+code formatting to the passwords. We might also want to add a note underneath, so leaving this open for now.

FYI this is still blocked on #332 (discussion on how to handle running multiple versions of nginx+openssl, which would be needed to get all the variations we want to run...