On Thu, Aug 31, 2017 at 04:15:33PM +0200, Anselm R Garbe wrote:
> On 31 August 2017 at 15:36, Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:
> > On Thu, Aug 31, 2017 at 03:07:11PM +0200, Anselm R Garbe wrote:
> >> well ;)), but I'm also a sceptic of HSTS.
> >
> > Can you explain why you are a sceptic of HSTS?
>
> I'm sceptic of using HSTS on suckless.org. I think it is superfluous.
>
> I really prefer that website visitors perform a *conscious* transition
> to https urls of suckless.org (after learning about it in our news
> feed that you wrote) rather than mandating the browser (which might
> support HSTS) to perform some kind of a "magic" transition instead.
> Actually the user might not notice at all if his browser supports
> HSTS.
>
A user has to have done atleast one HTTPS request initially to receive
the HSTS header. Since we don't support HTTP redirection it has to have
been concious or via some site linked to the HTTPS version.
> It's kind of an infantilization of the user.
>
I see your point, but there are atleast 2 things here imho. One is "user"
education. The other is security. It would mean if there is even a single
link / content error on the wiki page then MITM is possible (without HSTS).
> Also I dislike the idea that browsers effectively share HSTS
> information gathered in regular mode even in private (aka incognito)
> mode (at least I read about this last time I looked into HSTS, which
> is a while back).
>
HSTS is just a single HTTP header with an expiration date. It can be
set per domain or optionally per subdomain. The whole point of HSTS is
that it is "cached" basically.
--
Kind regards,
Hiltjo
Received on Thu Aug 31 2017 - 17:07:39 CEST