On Sat, 18 Jul 2015 02:53:01 +0200 Reyk Floeter wrote: > HSTS is a good thing and widely pushed, eg. by Google, in an effort to > enforce HTTPS over HTTP. It is a useful security option
I agree HSTS is useful but disagree with the rhetoric personally. It improves security for average website deployers using bog standard hosting and large websites that can't control their own sites or design them properly/well/securely/without js from 10s of domains. For me, however I don't buy google's argument of it doing "no harm" because of AES acceleration when SSL amplification DOS is taken into account and so I hope Google don't push too hard. When my sites get enough demand to require more than one server then I shall want to *maximise* the chances of delivering insecure content which dictates http only servers. Pages can be enforced over SSL without HSTS and cookies too which many advocates don't seem to realise (that the secure cookie flags and ways to control them exist).
