W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: HSTS over HTTP question.

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 07 Mar 2014 12:26:21 -0800
Message-ID: <531A2B6D.1070302@mozilla.com>
To: Ingo Chao <ichaocssd@googlemail.com>, public-webappsec@w3.org
On 3/7/2014 6:28 AM, Ingo Chao wrote:
> I am aware of 6.2.  HTTP Request Type
>    A HSTS Server MUST NOT include the Strict-Transport-Security HTTP
>    Response Header in HTTP responses conveyed over a non-secure
>    transport.
>
> But I don't understand the reasons.

Because we don't trust the connection. Adding HSTS to a site not 
prepared to be fully TLS results in a denial of service for that site 
that the user won't really understand or easily fix.

-Dan Veditz
Received on Friday, 7 March 2014 20:26:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC