[OSM-talk] HTTPS all the Things (Automated Edit)

Bryce Jasmer bryce at jasmer.com
Tue Feb 26 14:37:38 UTC 2019


The HSTS discussion is completely orthogonal to what the stated goal is and
any further discussion on it is really just muddying the waters. HSTS comes
into play after the user is already visiting over https.

If I’m mistaken, please help me understand.

On Tue, Feb 26, 2019 at 6:30 AM Rory McCann <rory at technomancy.org> wrote:

> On 26/02/2019 14:45, Joseph Reeves wrote:
> > As an aside, HSTS is interesting here because the website operator is
> > saying "only use this domain over https", but at that point, we don't
> > need to make changes to the database because the web client should be
> > aware of the HSTS preload list; the protocol listed in the referrer
> > is not relevant.
>
> I don't think we can rely totally on HSTS. I'm sure not all sites are on
> HSTS preload lists. I think OSM has more "website=http://*" tags (965k)¹
> than Firefox² & Chrome³ have in their HSTS preload lists...
>
> [1] https://taginfo.openstreetmap.org/keys/website#values
>
> [2]
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security
>
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc
>
> [3]
> https://www.chromium.org/hsts
>
> https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c
>
> _______________________________________________
> talk mailing list
> talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20190226/d2405613/attachment.html>


More information about the talk mailing list