[OSM-talk] HTTPS all the Things (Automated Edit)
Mateusz Konieczny
matkoniecz at tutanota.com
Wed Feb 27 12:21:30 UTC 2019
In this case there are two things - motivation for spending time on edit and effects of actual changes.
Motivation is not really important - it is not important whatever someone loves letter s or wants to
improve security (and even if security is improved there was no point in mentioning it).
No matter what is the motivation, result is that really boring update work will be done
and OSM database will be sligthly more up to date.
I do not really care about "latest edit date will change" problem - this is only heurestic and
extremely poor one to measure anything.
Feb 26, 2019, 3:39 PM by iknowjoseph at gmail.com:
> Hi Rory,
>
> Sure, so my point is: If someone wants to encourage https adoption in the wider world, the OSM database is not the place to do it. Security mechanisms exist for website operators to implement if they so desire, and they may need help making the most appropriate decisions.
>
> Cheers, Joseph
>
> On Tue, 26 Feb 2019 at 14:30, Rory McCann <> rory at technomancy.org <mailto:rory at technomancy.org>> > wrote:
>
>> On 26/02/2019 14:45, Joseph Reeves wrote:
>> > As an aside, HSTS is interesting here because the website operator is
>> > saying "only use this domain over https", but at that point, we don't
>> > need to make changes to the database because the web client should be
>> > aware of the HSTS preload list; the protocol listed in the referrer
>> > is not relevant.
>>
>> I don't think we can rely totally on HSTS. I'm sure not all sites are on
>> HSTS preload lists. I think OSM has more "website=http://*" tags (965k)¹
>> than Firefox² & Chrome³ have in their HSTS preload lists...
>>
>> [1] >> https://taginfo.openstreetmap.org/keys/website#values <https://taginfo.openstreetmap.org/keys/website#values>
>>
>> [2]
>> >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security>
>> >> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc <https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc>
>>
>> [3]
>> >> https://www.chromium.org/hsts <https://www.chromium.org/hsts>
>> >> https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c <https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20190227/b6af07a3/attachment.html>
More information about the talk
mailing list