hstspreload.org icon indicating copy to clipboard operation
hstspreload.org copied to clipboard

Published 20 hours ago verified publisher icon chromium

Track down sites suggesting to blindly preload

Open lgarron opened this issue 9 years ago • 17 comments

Latest one:

  • https://docs.nextcloud.com/server/9/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security

lgarron avatar Dec 02 '16 23:12 lgarron

https://github.com/roots/trellis defaults to preload. I've filed a bug at https://github.com/roots/trellis/issues/727

lgarron avatar Jan 07 '17 00:01 lgarron

PR set to twitter/secureheaders at https://github.com/twitter/secureheaders/pull/310

lgarron avatar Jan 07 '17 01:01 lgarron

The hstspreload.org site now also has a section about this: https://hstspreload.org/#opt-in

lgarron avatar Jan 07 '17 01:01 lgarron

https://www.section.io/blog/using-varnish-to-tweak-your-http-responses/ screen shot 2017-01-18 at 18 36 32

The relevant gist is owned by @section-io-gists

lgarron avatar Jan 19 '17 02:01 lgarron

Hi @lgarron,

Thanks for pointing this out, we've updated the gist to remove the preload directive.

glennslaven avatar Jan 19 '17 03:01 glennslaven

Thanks for pointing this out, we've updated the gist to remove the preload directive.

Looks good, thanks! (You may also want to remove the trailing semicolon, but that doesn't affect correctness.)

lgarron avatar Jan 19 '17 23:01 lgarron

@lgarron maybe the header should be changed to:

preload, SHA3(`${domain} I have read and understood https://hstspreload.org/#information`)

graingert avatar Feb 02 '17 18:02 graingert

@lgarron maybe the header should be changed to:

Then someone will find a way to automate it and shoot their users in the foot. :-P

More seriously, a site-specific confirmation is not a bad idea, but

  1. it requires extra configuration for infrastructure shared across multiple hosts (a specific value per host, instead of ≈ a boolean)
  2. It requires changing the header convention. This is a non-trivial change in semantics; I don't want to change or add anything other than preload without a spec.
  3. It requires us to figure out what to do for the special case of old domains.

It would probably be a good idea to discuss this at a meetup this year, which I would like to organize again once we've automated scanning and pruning.

lgarron avatar Feb 02 '17 21:02 lgarron

@graingert: Actually, would you mind filing a separate issue for that idea, so we can keep track of any progress on it in one place?

lgarron avatar Feb 02 '17 21:02 lgarron

@lgarron 1. no because you can provide a set of SHA3(domain + edu-nonce) and as long as your domain is in the set you win

win = preload

graingert avatar Feb 02 '17 22:02 graingert

Those that know enough to automate it, know not to

graingert avatar Feb 02 '17 22:02 graingert

@lgarron 1. no because you can provide a set of SHA3(domain + edu-nonce) and as long as your domain is in the set you win

Bloating headers is not a good idea. :-/

lgarron avatar Feb 02 '17 22:02 lgarron

HPACK means it's fine

graingert avatar Feb 02 '17 22:02 graingert

HPACK means it's fine

I don't think this is an appropriate assumption to make on behalf of all sites and clients.

In any case, I think a single hash for just the current domain is reasonable to ask for, and rolling it out won't be any harder from our end.

lgarron avatar Feb 02 '17 22:02 lgarron

Talks about preloading but doesn't mention how to submit to the list: https://blog.stackpath.com/glossary/hsts/

lgarron avatar Apr 05 '17 04:04 lgarron

https://varvy.com/pagespeed/hsts.html

lgarron avatar Jul 19 '17 11:07 lgarron

I think https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security could need some clarification around preload and the submission list.

Malvoz avatar Nov 12 '19 21:11 Malvoz