[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list
grazzolini at archlinux.org
Thu Jan 26 19:58:13 UTC 2017
Em janeiro 19, 2017 23:05 Giancarlo Razzolini escreveu:
> I plan to wait another week before moving on to adding archlinux.org domain to
> the preload list.
As one week was passed, and no objections were made, the archlinux.org was just
added to the preload list .
It takes some time for the change to propagate through versions, but usually the
next major version of Chrome (and possibly Firefox), will contain the inclusion.
On the past couple of weeks I tried to find STS preload usage outside of browsers,
and I found none. wget seems to respect HTST header, but it doesn't use preload
as far as I can tell. curl doesn't seem to have much (any?) documentation on the
subject, and I don't see any evidence for preload lists on either their source and
our package of it.
Anyway, from now on, every http service will *have* to be served through TLS. We
have our certs being renewed automatically, so it shouldn't be an issue. If we ever
need to disable preload, it will need to be done months before any usage of plain
http service. And even then, some users that do not update their browsers regularly,
won't be able to access anything under archlinux.org.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 870 bytes
Desc: not available
More information about the arch-dev-public