Tom Schuster wrote: > max-age requirement. So I propose we actively reach out to sites > removed from our list due to max-age.
That is a good idea, though... > For example at the moment paypal.com is missing! PayPal is one of the sites we already reached out to. (And, we reached out to Google too.) > We should also promote this feature more widely > and get more sites onto that list. > In the best case we could manage > the list ourselves and push life updates that don't depend on a new > Firefox version. I think we need to improve our support for MitM proxies before we do that. Quite a few users have reported that they can't use Twitter or other sites on our list at all because we're not trusting their MitM proxy cert. Apparently these users just used Firefox's permanent certificate override feature for every HTTPS site they visited. Since they always visited the HSTS site through an "invalid" certificate, we always ignored the (and still ignore) the HSTS header from the site, so those sites were just never HSTS for them. But, now those users cannot add the override because of HSTS, and they don't know how to add their MitM proxy's certificate to Firefox's trust database. Chrome uses the operating system's root certificate trust database and I think that reduces the problem for them, because often sysadmins that run networks that use such MitM proxies preconfigure the operating system's root database with the MitM proxy certificate. I think we should do something similar (hopefully better). Until we have this improved support for MitM proxies, it will be difficult to unequivocally advocate for sites to add themselves to the HSTS preload list. Cheers, Brian _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
