isbgpsafeyet.com icon indicating copy to clipboard operation
isbgpsafeyet.com copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Preload HSTS

Open FozzieHi opened this issue 4 years ago • 6 comments

HSTS should be preloaded https://hstspreload.org/?domain=isbgpsafeyet.com

FozzieHi avatar May 04 '20 23:05 FozzieHi

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

Displax avatar May 05 '20 20:05 Displax

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

It's not preloaded, max age needs to be 31536000 and then the domain needs to be submitted via https://hstspreload.org

FozzieHi avatar May 05 '20 20:05 FozzieHi

It's not preloaded, max age needs to be 31536000 and then the domain needs to be submitted via https://hstspreload.org

This is not true. 🤣🤣🤣 You can install special Chrome extension to show redirects (307 internal redirect is HSTS redirect). Or you can look into chrome://net-internals/#hsts and query it! It will be shown as hsts! The only purpouse of https://hstspreload.org/ is to activate HSTS imidiatelly even if you just opened clean browser (using a preload list of domains in browser, that is idiotic, IMHO, but whatever, LOL) without any https queries (yes, HTTP is not supported, because attacker can give hsts with http and block http only server).

ValZapod avatar Jul 06 '20 16:07 ValZapod

It is true, I'm talking about preloading as explained in the title and the comment you quoted.

Yes you can have HSTS without it being preloaded but to be preloaded you need the requirements which I said. I don't see how you think it's stupid, if an attacker wanted to MITM a user and they have never visited the website before then they could as the first request will be using HTTP unless you have an extension like HTTPS Everywhere.

FozzieHi avatar Jul 06 '20 16:07 FozzieHi

first request will be using HTTP unless you have an extension like HTTPS Everywhere.

This is IMHO, very improbable. Anyway, next time when the site will be visited, it will be redirected to https and then HSTS'd foreVa! Or for 6 month, anyway.

ValZapod avatar Jul 06 '20 16:07 ValZapod

This is IMHO, very improbable. Anyway, next time when the site will be visited, it will be redirected to https and then HSTS'd foreVa!

Not forever, it follows the max-age in the HSTS header.

However improbable you think it is I don't find a reason for this not to be preloaded, unless Cloudflare feels like it might lose HTTPS compatibility in the future.

FozzieHi avatar Jul 06 '20 16:07 FozzieHi