[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list

Pierre Schmitz pierre at archlinux.de
Thu Jan 5 16:26:44 UTC 2017

On 04.01.2017 20:43, Giancarlo Razzolini wrote:
> Hi All,
>   With some improvements we have been doing to the infrastructure, 
> we've
>   reached a point were practically everything on archlinux.org is 
> hosted
>   using TLS/SSL.
>   I have run a sslyze test on every of our DNS entries and the ones 
> that
>   did not answered are supposed to. In case you guys are interested, 
> I'm
>   putting links to the tests I performed in json format in the end of 
> the
>   email.[0][1]
>   My question is, should we add archlinux.org to the HSTS preload 
> list?[2]
>   Or, better yet, should we ever host something *not* using TLS/SSL?
>   Cheers,
> Giancarlo Razzolini
> [0] Full test, quite big: https://paste.xinu.at/UOII
> [1] Failed hosts: https://paste.xinu.at/5srl/
> [2] https://hstspreload.org/

In general a great idea. Our Torrent tracker does not support https as 
it seems: http://tracker.archlinux.org:6969/stat I haven't looked into 
it yet though. Port 443 redirects to bbs which is strange...



Pierre Schmitz, https://pierre-schmitz.com

More information about the arch-dev-public mailing list