Re: HSTS Misuse from Patrick McManus on 2016-05-24 (ietf-http-wg@w3.org from April to June 2016)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 24 May 2016 09:44:53 -0400
To: Philipp Junghannß <teamhydro55555@gmail.com>
Cc: Dennis Olvany <dennisolvany@gmail.com>, Solarus Lumenor <solarus@ultrawaves.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNoNW_U24mrGDpvvvLTQGbT48zcTd8niquA7KefVb-zqXQ@mail.gmail.com>

On Mon, May 23, 2016 at 6:37 AM, Philipp Junghannß <teamhydro55555@gmail.com
> wrote:

> also lets not forget that what will happen if we have an obnoxiouslyy long
> HSTS and the domain gets sold?
>

A domain with a smaller bootstrap vulnerability against MITM would be more
valuable to a sensible buyer. It's 2016 afterall - worrying about how to
avoid https is needlessly swimming against the tide.

I've actually wondered about a https only TLD for the same benefit.

Received on Tuesday, 24 May 2016 13:45:30 UTC