Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op maandag 21 juli 2014 11:34:49 schreef Peter Palfrader:
> On Mon, 21 Jul 2014, Wouter Verhelst wrote:
> > Are you talking about something else? If so, can you clarify in more
> > than two words?
>
> Sure, I can clarify:
>
> As I understand the RFC, servers MUST NOT send HSTS headers on insecure
> connections. Similarly, clients MUST ignore HSTS headers on insecure
> connections such as plain text http or if they can't validate the cert.
>
> This means that HSTS is not capable of upgrading an initial http-only
> connection to https.
>
> (Clients will only turn your request into https if they had previously
> connected via https and cached the HSTS information.)
Yes, that's my understanding too. As I've said in my reply to Paul's
mail, what I meant is that if a user has seen an HSTS header even once,
then my statement is true. As such, what you need is to improve the
likelihood that the initial connection is an https one, not an http-only
one.
I do think that the things I've suggested (instruct search engines to
ignore http, only provide https links from project resources, etc) will
increase that likelihood to the extent that http-only connections will
be a rare exception. You can probably increase it even more with some
effort, I'm sure.
Is that enough? That's a matter of opinion. I would think it is.
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: