News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Anyone here using HSTS preloading

Started by Jailer, June 04, 2016, 11:50:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jailer

June 04, 2016, 11:50:47 PM
Just recently was approved for HSTS pre loading on the forum I host. Does this matter to anyone in general? Do any of you that have forums that are served over HTTPS care about this or HSTS in general?

Just curious of what the general consensus is out there in the wild. Me personally, the fact that the only way to connect to my forum is through an encrypted connection (an A+ one at that) is a big deal. I have no idea if the NSA or any other 3 letter .gov agency can evesdrop but if they can I'm going to make it as hard as possible for them.

Your thoughts?

青山 素子

#1
June 05, 2016, 12:40:17 AM Last Edit: June 11, 2016, 03:49:45 PM by 青山 素子
Keep in mind that putting in a request to be added to the HSTS preloading lists creates an obligation. It's easy enough to get on the list, but there isn't a good way to get removed from all browsers. If you aren't prepared for the consequences of being on the list and are willing to continue to keep SSL in near-prepetuity, don't request an add. You can use HSTS without being in the preload list.

If you're concerned about security, you should be using HTTP Public Key Pinning to prevent SSL MITM.

Edit: Clarified my post, as it was a bit confusing with the initial wording.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

6TiME6

#2
June 11, 2016, 03:38:49 AM
I'd suggest to use just HSTS without the preloading list. Like the post above pointed out, you should also use key pinning as well as forward secrecy.

Jailer

#3
June 13, 2016, 09:17:10 PM
Well I took your advice and implemented Public Key Pinning. The information was a little daunting at first since you can lock yourself out of your site if you're not careful. But it's set at 60 seconds for now until I'm sure no one has connection issues and then I'll up the time to something more useful.

I did submit to the preloading list but it's still pending. Keeping that obligation won't be an issue as this site will be served over HTTPS until it's death.

Next question. Is anyone using a good Content Security Policy on their forum? Or does the average site owner/administrator even care about this stuff at all and not want to mess with it? Curious to hear peoples responses.
Print
Go Up Pages1
User actions
Advertisement: