[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] Pools & HSTS header
|
From: |
Valentin Sundermann |
|
Subject: |
[Sks-devel] Pools & HSTS header |
|
Date: |
Thu, 26 May 2016 00:47:57 +0200 |
Hi,
I enforce HTTPS on all my domains by sending the HSTS header to my
visitors. HSTS forces the browser to use in future only secure
connections to this domain. More info on Wikipedia[1] :)
Since my keyserver could be added to pools of keyservers without any
notice to me. It could be possible that some servers will send these
kind of headers on pool domains too.
HSTS has a feature which adds a domain to a list of sites (see [2])
which is preloaded in the browsers source code. Especially with this
feature servers could instruct browsers to only use HTTPS on a pool
domain which would obviously cause some problems with other servers that
don't support HTTPS.
After all some browser (which experienced HSTS header) could lose their
connectivity to many other servers. This is either only a temporary
issue (there's a timespan in the header for how long HTTPS is enforced)
or with a pool on a preload list, this could destroy the domain name
irrevocably (there's no way to revoke things on this list).
I didn't read something to this issue when setting up my keyserver. I
think a small hint for keyserver admins somewhere in a
manpage/readme/etc would be useful.
Another good thing would be checks from the pool operator side to check
the server's headers before adding it to the pool. This would sort out
most of the
"problematic" servers.
Did I miss there something or could this really lead to problems? :)
Best regards,
Valentin
[1] https://en.wikipedia.org/wiki/HSTS
[2] https://hstspreload.appspot.com
- [Sks-devel] Pools & HSTS header,
Valentin Sundermann <=