[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list
Giancarlo Razzolini
grazzolini at archlinux.org
Thu Jan 5 17:27:56 UTC 2017
Em janeiro 5, 2017 14:26 Pierre Schmitz escreveu:
>
> In general a great idea. Our Torrent tracker does not support https as
> it seems: http://tracker.archlinux.org:6969/stat I haven't looked into
> it yet though. Port 443 redirects to bbs which is strange...
>
I only tested port 443 on those servers. sslyze can test for STARTTLS on
most services (smtp and others) but I focused on standard https. If the
tracker is not replying on https, I'm confident we can make it do so.
My intention with the RFC was/is mainly to see if we have any show stoppers
that might prevent us from doing so. And, it is worth noting that HSTS
preloading works mainly (only?) for browsers. Libraries and command line
tools don't use it, as far as I know, nor would Bittorrent clients.
Also, once included, removal is not very easy. So, if we do this, we must
be sure we will not host anything not using TLS. One option though is to
not include subdomains and only make archlinux.org and www to the preload
list now, and make the entire domain, after we are sure.
Cheers,
Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170105/1af4c1c3/attachment.asc>
More information about the arch-dev-public
mailing list