W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Eric Mill <eric@konklone.com>
Date: Tue, 30 Dec 2014 17:30:51 -0500
Message-ID: <CANBOYLW-0fkfkB7z4MJWjQOFLiFvVZVkfq_4=jLsrmM_+2bw=A@mail.gmail.com>
To: rsleevi@chromium.org
Cc: Jim Manico <jim.manico@owasp.org>, Chris Bentzel <cbentzel@chromium.org>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, Brian Smith <brian@briansmith.org>, Monica Chew <mmc@mozilla.com>
On Mon, Dec 29, 2014 at 11:09 PM, Ryan Sleevi <rsleevi@chromium.org> wrote:

> On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim.manico@owasp.org> wrote:
> >
> > https://hstspreload.appspot.com/
> >
> > I don't think preloaded HSTS is part of the HSTS standard. How could we
> > raise adoption?
> >
> It doesn't need to be.

As for raising adoption, people just need to talk about it. I'm not sure
why more entities that have preloaded their domains aren't putting up blog
posts or press releases about it. "We're so secure that we're hardcoded
into browsers" seems like an all-upside PR move. I know I'm working on
taking advantage of that in my own work.
Received on Tuesday, 30 December 2014 22:32:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC