[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

On Mon, 21 Jul 2014, Wouter Verhelst wrote:

> Op zondag 20 juli 2014 21:22:48 schreef Peter Palfrader:
> > On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > > If HSTS is enabled and you access people.debian.org even once (and you
> > > don't clear out their entire cache for as long as the HSTS timeout
> > > lives), then HSTS will ensure that the HTTP URL gets turned into an
> > > HTTPS URL automatically.
> > 
> > Alas, no.
> Yes it does.
> I just tried chromium and iceweasel on this laptop (running sid, a few
> days out of date). Both will turn "http://www.debian.org"; into
> "https://www.debian.org"; due to HSTS. This works whether I enter the
> "http://"; prefix or not.
> Are you talking about something else? If so, can you clarify in more
> than two words?

Sure, I can clarify:

As I understand the RFC, servers MUST NOT send HSTS headers on insecure
connections.  Similarly, clients MUST ignore HSTS headers on insecure
connections such as plain text http or if they can't validate the cert.

This means that HSTS is not capable of upgrading an initial http-only
connection to https.

(Clients will only turn your request into https if they had previously
connected via https and cached the HSTS information.)

                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to: