Microsoft: FINE, we'll help your web sessions be secure, SHEESH Microsoft has updated both Internet Explorer and its new Edge web browser to make it easier for sites to encourage visitors to use secure HTTPS encryption. As part of this month's Patch Tuesday batch of security updates, the software giant has added support for HTTP Strict Transport Security (HSTS) to its browsers. Sites can …
Maybe I'm the only one, but please stop this. I have to travel to places that either just block HTTPS outright, or they do a man in the middle so that they can scan everything on the way through. More common is just blocking it. I know this because of all the problems I had with Google always changing http://www.google.co.uk/ to HTTPS and then failing.
>but if you enter http://www.google.com/ you certainly want the http version of the site
Google doesn't offer regular http for a reason. If you offer https services there are a plethra of reasons not to offer http for any reasons other than redirection. Offering both is a terrible security risk and that is why we have HSTS.
And is one damned good reason you don't: the connection that you are using refuses to pass that content. Welcome to a goodly sized part of "the real world." Ivory tower ideals are nice (I spent my teen years at the university) but my engineering side recognizes that the real world is the real world. Get over yourself. Definitely applies to the whole Mozilla team and some recent Google activity.
Hey, BTW, have they run tests all over the world using locally available devices and connections? Yeah, thought not.
HTTPS is a pretty basic, web standard that you would expect every browser to support. If a certain organisation decides to block it then you can't expect others to have to cater for those non-standard cases.
They could quite easily block HTTP, or google itself or do anything else they wanted that is non-standard. However, as laborious at they sometimes are, you can only expect developers to try to work within the foundations of the standards and not try to cater for every use-case especially when those use-cases are purposely inflicted.
As for the MITM proxy for HTTPS - well without it you'd be using HTTP anyway so it is no less secure. At least, as long as you are not on their domain you can see that they ave tried to run a fake cert.
Really don't understand this pre-load list which all browsers seem to be adopting. These are hard-coded in to the browser source and therefore seems completely unscalable and unmanageable.
In CHromium the preload list is hard coded into transport_security_state_static.json as part of the build. At the moment it has over 2100 domains in the list and every organisation is encouraged to become HSTS compliant and add themselves?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
