[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list

Giancarlo Razzolini grazzolini at archlinux.org
Thu Jan 5 17:27:56 UTC 2017

Em janeiro 5, 2017 14:26 Pierre Schmitz escreveu:
> In general a great idea. Our Torrent tracker does not support https as 
> it seems: http://tracker.archlinux.org:6969/stat I haven't looked into 
> it yet though. Port 443 redirects to bbs which is strange...

  I only tested port 443 on those servers. sslyze can test for STARTTLS on
  most services (smtp and others) but I focused on standard https. If the
  tracker is not replying on https, I'm confident we can make it do so.

  My intention with the RFC was/is mainly to see if we have any show stoppers
  that might prevent us from doing so. And, it is worth noting that HSTS
  preloading works mainly (only?) for browsers. Libraries and command line
  tools don't use it, as far as I know, nor would Bittorrent clients.

  Also, once included, removal is not very easy. So, if we do this, we must
  be sure we will not host anything not using TLS. One option though is to
  not include subdomains and only make archlinux.org and www to the preload
  list now, and make the entire domain, after we are sure.

Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170105/1af4c1c3/attachment.asc>

More information about the arch-dev-public mailing list