[arch-dev-public] [RFC] Add archlinux.org domain to HSTS Preload list

Giancarlo Razzolini grazzolini at archlinux.org
Thu Jan 26 19:58:13 UTC 2017


Em janeiro 19, 2017 23:05 Giancarlo Razzolini escreveu:
> 
> I plan to wait another week before moving on to adding archlinux.org domain to
> the preload list.
> 
Hi all,

  As one week was passed, and no objections were made, the archlinux.org was just
added to the preload list [0][1].

  It takes some time for the change to propagate through versions, but usually the
  next major version of Chrome (and possibly Firefox), will contain the inclusion.

  On the past couple of weeks I tried to find STS preload usage outside of browsers,
  and I found none. wget seems to respect HTST header, but it doesn't use preload
  as far as I can tell. curl doesn't seem to have much (any?) documentation on the
  subject, and I don't see any evidence for preload lists on either their source and
  our package of it.

  Anyway, from now on, every http service will *have* to be served through TLS. We
  have our certs being renewed automatically, so it shouldn't be an issue. If we ever
  need to disable preload, it will need to be done months before any usage of plain
  http service. And even then, some users that do not update their browsers regularly,
  won't be able to access anything under archlinux.org.

Cheers,
Giancarlo Razzolini

[0] https://git.archlinux.org/infrastructure.git/commit/?id=9beccb72d1e6e26593484ddb2c7bf642ea9446d2
[1] https://hstspreload.org/?domain=archlinux.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170126/40936fae/attachment.asc>


More information about the arch-dev-public mailing list