Re: Proposal: Marking HTTP As Non-Secure


I'm just politely critiquing what I see as advice regarding HTTPS/TLS
configuration that seems lacking. And yes I pivoted to asking about
•preloaded• HSTS evangelism since I feel it makes the search engine
question moot. Who cares if a search engine returns HTTP or HTTPS
links if we have widespread adoption of preloaded HSTS sites that make
the change in the client.

That's where my thinking was; my apologies if I detailed the conversation.

Jim Manico
(808) 652-3805

> On Dec 29, 2014, at 6:09 PM, Ryan Sleevi <> wrote:
> On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <> wrote:
>>> Of the things that apply now, what sites can be doing is:
>> 1) Ensuring HTTP redirects to HTTPS
>> 2) Use canonical URLs - see
>> 3) Use HSTS, when available.
>> I think that HTTP-redirect as a solution is "too late". The ••preloaded••
>> HTST headers initiative seems to be the right solution in order to avoid
>> that initial HTTP request...
> I'm sorry it wasn't clearer what I was saying - but this is about
> answering the question about "How do we get search engines to prefer
> HTTPS". This is how.
> If your search engine is linking to HTTPS because it detected the
> above three, then your link is to HTTPS, and thus you don't have that
> window.
>> I don't think preloaded HSTS is part of the HSTS standard. How could we
>> raise adoption?
> It doesn't need to be.

Received on Tuesday, 30 December 2014 08:15:40 UTC