Re: Fetching http:// URIs over TLS by default

>
>
> 2) Allow domains to opt-in to HSTS out-of-band, like in software updates
>>> for an OS. This idea seems intriguing, because it would seem to improve
>>> security as participants join, unlike a TLS trusted-root store.
>>>
>>
>> The HSTS spec suggests doing this as a the pre-load list and indeed
>> browsers ship just that.
>> https://tools.ietf.org/html/rfc6797#section-12.3
>> https://hstspreload.org
>>
>
> They do--I've seen the static list built into Chrome. It seems like the
> list should be global, because the lists didn't seem to match on some
> important sites. Browsers did record the HSTS data after one visit, but
> clearing browsing data seemed to reverse this in some cases.
>

As far as I know, every browser that ships an HSTS preload list bases it
off of the one maintained at hstspreload.org. Different browsers have
different criteria for what exactly to include and may revalidate that a
domain meets the requirements for inclusion (or meets additional
requirements than the Chromium requirements). The update cycle for
different browsers also impacts which version of the list is in use, but
ultimately I'd expect all browsers to have approximately the same list.

>

Received on Friday, 20 September 2019 22:36:13 UTC