- From: Ryan Sleevi <rsleevi@chromium.org>
- Date: Mon, 29 Dec 2014 20:09:09 -0800
- To: Jim Manico <jim.manico@owasp.org>
- Cc: "rsleevi@chromium.org" <rsleevi@chromium.org>, Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim.manico@owasp.org> wrote: >> Of the things that apply now, what sites can be doing is: > 1) Ensuring HTTP redirects to HTTPS > 2) Use canonical URLs - see > https://support.google.com/webmasters/answer/139066?hl=en > 3) Use HSTS, when available. > > I think that HTTP-redirect as a solution is "too late". The ••preloaded•• > HTST headers initiative seems to be the right solution in order to avoid > that initial HTTP request... I'm sorry it wasn't clearer what I was saying - but this is about answering the question about "How do we get search engines to prefer HTTPS". This is how. If your search engine is linking to HTTPS because it detected the above three, then your link is to HTTPS, and thus you don't have that window. > > https://hstspreload.appspot.com/ > > I don't think preloaded HSTS is part of the HSTS standard. How could we > raise adoption? > It doesn't need to be.
Received on Tuesday, 30 December 2014 04:09:37 UTC