hstspreload.org icon indicating copy to clipboard operation
hstspreload.org copied to clipboard
verified publisher icon chromium

Run a daily status scan of the official preload list.

Open lgarron opened this issue 9 years ago • 6 comments

For https://crbug.com/608599

lgarron avatar May 20 '16 23:05 lgarron

While I see the need to remove old entries, I am worried about the requirements for the HSTS preload list constantly changing. As a website owner, I won't be visting the HSTS preload page every week so my site may just be removed from the preload list without warning and I won't notice it until many months later.

If you want to be stricter to ensure the list doesn't get too long, may I suggest some kind of notification? E.g. if a site no longer meets the requirements, send an e-mail notification to the owner so he can fix it? Website owners could just include their e-mail address when submitting their site.

If that's not possible, I guess I could set up a weekly cronjob that queries if my site is still preloaded. Is this the correct way to check the preload status? https://hstspreload.appspot.com/status?domain=example.com

SWTORfan avatar May 23 '16 17:05 SWTORfan

I am worried about the requirements for the HSTS preload list constantly changing.

The requirements were not properly codified until recently, and they themselves are not likely to change much. In particular, if we start pruning the list we know we have to be very careful about applying new requirements to old sites.

E.g. if a site no longer meets the requirements, send an e-mail notification to the owner so he can fix it?

We explicitly don't collect emails for the preload list. We've talked about an hstspreload-announce mailing list, although that isn't guaranteed to reach everyone.

Is this the correct way to check the preload status? https://hstspreload.appspot.com/status?domain=example.com

Yes, I would suggest using that URL. (However, be prepared for a potential redirect from that URL in the future.)

lgarron avatar May 23 '16 18:05 lgarron

Sounds fine, thanks very much for the reply! I'll just set up a cronjob, that works for us.

SWTORfan avatar May 23 '16 18:05 SWTORfan

An idea that I have jotted down somewhere: log the certificate we see when connecting to a site in the scan (or at least log an SPKI hash).

lgarron avatar Oct 10 '16 20:10 lgarron

Manually run scans are at https://github.com/lgarron/hstspreload-scans for now.

lgarron avatar Dec 03 '16 00:12 lgarron

Manually run scans are at https://github.com/lgarron/hstspreload-scans for now.

Note that I've upgraded this to automatic scans running since December 23. However, the data is not appropriate for a git repo (already multiple gigs uncompressed). I will backfill it into a Google Cloud Storage bucket once I debug the cron job to do it automatically in the cloud.

lgarron avatar Mar 03 '17 05:03 lgarron