Mark Dain I'm starting to think the day is coming when HTTPS Everywhere is no longer required. Google is adding HSTS: security.googleblo... one less unencrypted website

Martijn HSTS and certificate pinning still require more configuration than just setting up HTTPS, as I understand it. So it might be a while before all websites actually have it.

Mark Dain HSTS is fairly easy to setup; at it's core, it's an HTTP header. The only complexity is ensuring that forcing SSL won't cause anything to break that's depending on something not being encrypted. Sublevel used to have an HSTS header but it seems Lucian has removed it :( You're right about pinning being complicated to setup. You need 2 public keys to pin against, usually you pick 2 CAs you trust. It's very easy to break your website if you're not careful. I always setup HSTS but I'm not (yet?) pinning public keys due to the complexity.

🦿 Lucian Marin I removed it because there's no need for it. Sublevel is serving all the content over HTTPS. HSTS is just a header that informs browsers to redirect from HTTP to HTTPS. I do the redirect from NGINX.

Mark Dain A redirect in NGINX is good for getting users on SSL but unfortunately can't solve the same set of problems as HSTS; ensuring SSL won't be stripped between the browser and the server. Any intermediate nodes could perform SSL termination. HSTS in effect forces SSL client side so a MITM proxy becomes far more difficult to pull off as you must re-encrypt to a trusted certificate. HSTS also ensures the initial connection is always made over SSL. Doing that stops users from having SSL being stripped away all together (as I can change the packets not to redirect to SSL when I send them to you).

🦿 Lucian Marin How is that possible if the request never hits the server and gets the HSTS header?