About Login Register Links People Threads Discover
Mark Dain I'm starting to think the day is coming when HTTPS Everywhere is no longer required. Google is adding HSTS: security.googleblo... one less unencrypted website
6y, 33w 6 replies ¬
Login or register your account to reply
Martijn HSTS and certificate pinning still require more configuration than just setting up HTTPS, as I understand it. So it might be a while before all websites actually have it.
6y, 33w 5 replies
Mark Dain HSTS is fairly easy to setup; at it's core, it's an HTTP header. The only complexity is ensuring that forcing SSL won't cause anything to break that's depending on something not being encrypted. Sublevel used to have an HSTS header but it seems Lucian has removed it :( You're right about pinning being complicated to setup. You need 2 public keys to pin against, usually you pick 2 CAs you trust. It's very easy to break your website if you're not careful. I always setup HSTS but I'm not (yet?) pinning public keys due to the complexity.
6y, 33w 4 replies