On Thu, Aug 31, 2017 at 03:07:11PM +0200, Anselm R Garbe wrote: > On 31 August 2017 at 14:45, hiro <23h...@gmail.com> wrote: > > Now we have something much worse: letsencrypt and this completely > > insecure http redirection snake-oil. > > > > With letsencrypt you now have to put extra work (can't keep track of > > all the individual subdomains either, wildcards are suddenly a > > security risk?!), and nobody bothers to quanitfy the amount of gained > > security. > > I don't really mind letsencrypt (actually I wouldn't mind to make a > deal with HonestAchmed or his cousin -- we can all trust them, because > the uncle of a friend is his step brother and knows the family very > well ;)), but I'm also a sceptic of HSTS. >
Can you explain why you are a sceptic of HSTS? > Where do we really have a downgrade risk? In the content suckless > offers, this can be solved by using relative or non-protocol hrefs > everywhere. I wouldn't mind if existing external links are not > redirected, during time external references will adopt slowly. > > BR, > Anselm > There is no issue (anymore) because I fixed the main template. An example is the logo.svg had a direct http:// link. This gives a "mixed content" warning in your browser. A MITM can abuse plain-text traffic, this is not possible by specifying a HSTS header. Ofcourse the person has to first make a single HTTPS request with the HSTS header set. After that it works (until the expiration date, which is set to 1 year atm). -- Kind regards, Hiltjo