Op maandag 21 juli 2014 11:34:49 schreef Peter Palfrader: > On Mon, 21 Jul 2014, Wouter Verhelst wrote: > > Are you talking about something else? If so, can you clarify in more > > than two words? > > Sure, I can clarify: > > As I understand the RFC, servers MUST NOT send HSTS headers on insecure > connections. Similarly, clients MUST ignore HSTS headers on insecure > connections such as plain text http or if they can't validate the cert. > > This means that HSTS is not capable of upgrading an initial http-only > connection to https. > > (Clients will only turn your request into https if they had previously > connected via https and cached the HSTS information.)
Yes, that's my understanding too. As I've said in my reply to Paul's mail, what I meant is that if a user has seen an HSTS header even once, then my statement is true. As such, what you need is to improve the likelihood that the initial connection is an https one, not an http-only one. I do think that the things I've suggested (instruct search engines to ignore http, only provide https links from project resources, etc) will increase that likelihood to the extent that http-only connections will be a rare exception. You can probably increase it even more with some effort, I'm sure. Is that enough? That's a matter of opinion. I would think it is. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8110293.d4xlpoy...@grep.be
