[Noisebridge-discuss] some discussion of HSTS and such mentioning Noisebridge

travis+ml-noisebridge at subspacefield.org travis+ml-noisebridge at subspacefield.org
Thu Jan 6 14:08:38 PST 2011


BTW, there's some discussion on the IETF websec group about HSTS,
and noisebridge is used as an example of something that could cause
problems.

I think the problem is that the 302 redirect is going from HTTP
to HTTPS on a different domain name.  I think that's legal per
se, and makes sense from a performance perspective, but somehow
causes problems with the proposed HSTS spec.

No action is required, I'm not telling anyone to do it differently,
I just found it interesting.

====

Just to show how many people currently get this wrong, here's the
sites listed in the HSTS wikipedia article that screw it up.  Note
that I verified none of them are using the resource technique either
(at least correctly).

$ curl --head http://noisebridge.net
HTTP/1.1 302 Found
Date: Thu, 30 Dec 2010 18:39:21 GMT
Server: Apache
Location: https://www.noisebridge.net/
-- 
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20110106/0eb87e7d/attachment.pgp 


More information about the Noisebridge-discuss mailing list