Re: [Sks-devel] Pools & HSTS header

[Daniel Roesler]

I wrote up how I have nginx configured to do HSTS while being in the pool.

https://daylightpirates.org/index.html?posts/2016-05-25_hsts-hkps.md

Daniel

On Wed, May 25, 2016 at 3:47 PM, Valentin Sundermann <address@hidden> wrote:
> Hi,
>
> I enforce HTTPS on all my domains by sending the HSTS header to my
> visitors. HSTS forces the browser to use in future only secure
> connections to this domain. More info on Wikipedia[1] :)
> Since my keyserver could be added to pools of keyservers without any
> notice to me. It could be possible that some servers will send these
> kind of headers on pool domains too.
> HSTS has a feature which adds a domain to a list of sites (see [2])
> which is preloaded in the browsers source code. Especially with this
> feature servers could instruct browsers to only use HTTPS on a pool
> domain which would obviously cause some problems with other servers that
> don't support HTTPS.
> After all some browser (which experienced HSTS header) could lose their
> connectivity to many other servers. This is either only a temporary
> issue (there's a timespan in the header for how long HTTPS is enforced)
> or with a pool on a preload list, this could destroy the domain name
> irrevocably (there's no way to revoke things on this list).
>
> I didn't read something to this issue when setting up my keyserver. I
> think a small hint for keyserver admins somewhere in a
> manpage/readme/etc would be useful.
>
> Another good thing would be checks from the pool operator side to check
> the server's headers before adding it to the pool. This would sort out
> most of the
> "problematic" servers.
>
> Did I miss there something or could this really lead to problems? :)
>
> Best regards,
> Valentin
>
>
> [1] https://en.wikipedia.org/wiki/HSTS
> [2] https://hstspreload.appspot.com
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel