Re: Proposal: Marking HTTP As Non-Secure

Right.

I'm just politely critiquing what I see as advice regarding HTTPS/TLS
configuration that seems lacking. And yes I pivoted to asking about
•preloaded• HSTS evangelism since I feel it makes the search engine
question moot. Who cares if a search engine returns HTTP or HTTPS
links if we have widespread adoption of preloaded HSTS sites that make
the change in the client.

That's where my thinking was; my apologies if I detailed the conversation.

--
Jim Manico
@Manicode
(808) 652-3805

> On Dec 29, 2014, at 6:09 PM, Ryan Sleevi <rsleevi@chromium.org> wrote:
>
> On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim.manico@owasp.org> wrote:
>>> Of the things that apply now, what sites can be doing is:
>> 1) Ensuring HTTP redirects to HTTPS
>> 2) Use canonical URLs - see
>> https://support.google.com/webmasters/answer/139066?hl=en
>> 3) Use HSTS, when available.
>>
>> I think that HTTP-redirect as a solution is "too late". The ••preloaded••
>> HTST headers initiative seems to be the right solution in order to avoid
>> that initial HTTP request...
>
> I'm sorry it wasn't clearer what I was saying - but this is about
> answering the question about "How do we get search engines to prefer
> HTTPS". This is how.
>
> If your search engine is linking to HTTPS because it detected the
> above three, then your link is to HTTPS, and thus you don't have that
> window.
>
>>
>> https://hstspreload.appspot.com/
>>
>> I don't think preloaded HSTS is part of the HSTS standard. How could we
>> raise adoption?
>
> It doesn't need to be.

Received on Tuesday, 30 December 2014 08:15:40 UTC