undefined | Better HN

0 pointsuser59944618y ago0 comments

I am definitely talking HSTS. You only need HTTPS enabled and send the "Strict-Transport-Security" header. It is very easy to setup, it can also backfire pretty bad.

Not HKPK.

0 comments

okket8y ago

I still think you have this wrong:

HSTS says "This domain uses TLS and ONLY TLS. Ignore insecure connections to this domain. Remember this for x seconds." (should be harmless these days, why should it backfire?)

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...

HPKP says "This domain uses this certificate. Also, remember this and ignore/complain when different in the future." (which is the problematic part)

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#How_It...

user5994461OP8y ago

You don't seem to understand. Read again, I gave many scenarios where a certificate will be invalid, that will block all access to your site if HSTS is enabled.

okket8y ago

I read your posts. Your examples apply to HKPK (key pinning), not HSTS (enforcing TLS only).

1 more reply

j / k navigate · click thread line to collapse

0 comments

okket8y ago

I still think you have this wrong:

HSTS says "This domain uses TLS and ONLY TLS. Ignore insecure connections to this domain. Remember this for x seconds." (should be harmless these days, why should it backfire?)

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...

HPKP says "This domain uses this certificate. Also, remember this and ignore/complain when different in the future." (which is the problematic part)

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#How_It...

user5994461OP8y ago

You don't seem to understand. Read again, I gave many scenarios where a certificate will be invalid, that will block all access to your site if HSTS is enabled.

okket8y ago

I read your posts. Your examples apply to HKPK (key pinning), not HSTS (enforcing TLS only).

1 more reply

j / k navigate · click thread line to collapse