William Hay <w...@dumain.com> writes:
> On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote:
>> Hi,
>> 
>> I enforce HTTPS on all my domains by sending the HSTS header to my
>> visitors. HSTS forces the browser to use in future only secure
>> connections to this domain. More info on Wikipedia[1] :)
>> Since my keyserver could be added to pools of keyservers without any
>> notice to me. It could be possible that some servers will send these
>> kind of headers on pool domains too.
>> 
>> Did I miss there something or could this really lead to problems? :)
>
> AIUI HSTS only works if the header is received over an https connection
> not an http one.  Unless you have a cert in the name of one of the pools
> then anyone trying to connect to the pool who ends up connecting to your
> server will not get far enough to see the HSTS header because of a name 
> mismatch.

Well.

  http://pool.sks-keyservers.net(:11371)? --redirect--> 
https://keyserver.siccegge.de 

And if keyserver.siccegge.de present a valid certificate + HSTS would be
a problem no? (and potentially undetected if the pool script mainly
checks API pages)

  Christoph

-- 
9FED 5C6C E206 B70A 5857  70CA 9655 22B9 D49A E731
Debian Developer | Lisp Hacker | CaCert Assurer

_______________________________________________
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Reply via email to