William Hay <w...@dumain.com> writes: > On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: >> Hi, >> >> I enforce HTTPS on all my domains by sending the HSTS header to my >> visitors. HSTS forces the browser to use in future only secure >> connections to this domain. More info on Wikipedia[1] :) >> Since my keyserver could be added to pools of keyservers without any >> notice to me. It could be possible that some servers will send these >> kind of headers on pool domains too. >> >> Did I miss there something or could this really lead to problems? :) > > AIUI HSTS only works if the header is received over an https connection > not an http one. Unless you have a cert in the name of one of the pools > then anyone trying to connect to the pool who ends up connecting to your > server will not get far enough to see the HSTS header because of a name > mismatch.
Well. http://pool.sks-keyservers.net(:11371)? --redirect--> https://keyserver.siccegge.de And if keyserver.siccegge.de present a valid certificate + HSTS would be a problem no? (and potentially undetected if the pool script mainly checks API pages) Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel