Re: HSTS Misuse from Solarus Lumenor on 2016-05-23 (ietf-http-wg@w3.org from April to June 2016)

From: Solarus Lumenor <solarus@ultrawaves.fr>
Date: Mon, 23 May 2016 10:49:52 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <7301d13860eca437fc01c21ace8d322a@ultrawaves.net>

 

Le 2016-05-22 15:13, Dennis Olvany a écrit : 

> I suppose third-party HSTS may be a good way to describe the scenario I propose. To be more clear, let's say that the https server is provided by a web hosting company and their customer is the domain owner.

Hello. 

In my opinion its a bad practice that should be avoided.

For a domain given, a HTTPS server must only use HSTS if it serves
fully-encrypted content.
If it serves plain-text or mixed-content for a domain that uses HSTS,
it's an error. 

If you want to redirect HTTPS connexion to plain-text content then you
MUST NOT use HSTS on all the servers or CDN serving this domain.
If one or more Virtual Host activate HSTS on your domain, your clients
will be stuck for a while.

As long as HSTS in DNS is not standardized or implemented, the domain
owner does not matters, it's only a server problem. 

Solarus

Received on Monday, 23 May 2016 09:50:26 UTC