Re: HSTS Misuse from Solarus Lumenor on 2016-05-23 (ietf-http-wg@w3.org from April to June 2016)

From: Solarus Lumenor <solarus@ultrawaves.fr>
Date: Mon, 23 May 2016 10:49:52 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <7301d13860eca437fc01c21ace8d322a@ultrawaves.net>

 

Le 2016-05-22 15:13, Dennis Olvany a écrit : 

> I suppose third-party HSTS may be a good way to describe the scenario I propose. To be more clear, let's say that the https server is provided by a web hosting company and their customer is the ___domain owner.

Hello. 

In my opinion its a bad practice that should be avoided.

For a ___domain given, a HTTPS server must only use HSTS if it serves
fully-encrypted content.
If it serves plain-text or mixed-content for a ___domain that uses HSTS,
it's an error. 

If you want to redirect HTTPS connexion to plain-text content then you
MUST NOT use HSTS on all the servers or CDN serving this ___domain.
If one or more Virtual Host activate HSTS on your ___domain, your clients
will be stuck for a while.

As long as HSTS in DNS is not standardized or implemented, the ___domain
owner does not matters, it's only a server problem. 

Solarus

Received on Monday, 23 May 2016 09:50:26 UTC