[Noisebridge-discuss] some discussion of HSTS and such mentioning Noisebridge
travis+ml-noisebridge at subspacefield.org
travis+ml-noisebridge at subspacefield.org
Thu Jan 6 22:08:38 UTC 2011
BTW, there's some discussion on the IETF websec group about HSTS,
and noisebridge is used as an example of something that could cause
problems.
I think the problem is that the 302 redirect is going from HTTP
to HTTPS on a different domain name. I think that's legal per
se, and makes sense from a performance perspective, but somehow
causes problems with the proposed HSTS spec.
No action is required, I'm not telling anyone to do it differently,
I just found it interesting.
====
Just to show how many people currently get this wrong, here's the
sites listed in the HSTS wikipedia article that screw it up. Note
that I verified none of them are using the resource technique either
(at least correctly).
$ curl --head http://noisebridge.net
HTTP/1.1 302 Found
Date: Thu, 30 Dec 2010 18:39:21 GMT
Server: Apache
Location: https://www.noisebridge.net/
--
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20110106/0eb87e7d/attachment.sig>
More information about the Noisebridge-discuss
mailing list