Re: [dev] suckless.org TLS / HTTPS support

From: Laslo Hunhold <dev_AT_frign.de>
Date: Thu, 31 Aug 2017 15:57:15 +0200

On Thu, 31 Aug 2017 15:36:03 +0200
Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:

Dear Hiltjo,

> There is no issue (anymore) because I fixed the main template.
> An example is the logo.svg had a direct http:// link. This gives a
> "mixed content" warning in your browser. A MITM can abuse plain-text
> traffic, this is not possible by specifying a HSTS header. Ofcourse
> the person has to first make a single HTTPS request with the HSTS
> header set. After that it works (until the expiration date, which is
> set to 1 year atm).

what makes me wonder is why the HSTS-spec tells conformant clients to
ignore the STS-header in the context of a HTTP connection, given this
would be a perfect way to implement an "offering" of a TLS-connection
to a browser.
Clients who do not wish to connect via HTTPS but HTTP can just ignore
the STS-header, but browsers who can could expose a configuration
setting for the user to determine how to behave when being confronted
with a HSTS-header in an HTTP-context.

This would completely rid us from the need for extensions like "HTTPS
Everywhere" and we would still keep HTTPS optional.

With best regards

Laslo Hunhold

-- 
Laslo Hunhold <dev_AT_frign.de>
Received on Thu Aug 31 2017 - 15:57:15 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 31 2017 - 16:00:26 CEST