W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Peter Eckersley <pde@eff.org>
Date: Sat, 7 Mar 2015 02:39:54 -0800
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>
Message-ID: <20150307103954.GY7934@eff.org>
On Fri, Mar 06, 2015 at 11:16:50AM -0800, Martin Thomson wrote:
> I understood this as "If you support this upgrade, might as well just
> use HSTS".  But can't save the extra bytes by disabling this signal if
> HSTS is enabled?

Almost.  The problem is that if the HSTS header isn't in the preload
list, the client needs to see it again occasionally in order for HSTS to
be renewed.  This could be finnessed in various ways, such as only
sending the Prefer header for / or favicon.ico once HSTS is active; only
sending it once a certain fraction of maxage has passed, or only sending
it with a small probability on each request.

Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Saturday, 7 March 2015 10:40:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:47 UTC