
HSTS from Top to Bottom - weinzierl
https://www.troyhunt.com/hsts-from-top-to-bottom-or-gtfo/
======
yoloClin
The article mentions preloading but doesn't go into detail.

You can apply for Chrome preload via
[https://hstspreload.org/](https://hstspreload.org/) which I ends up in Chrome
source, the list is then replicated to other browsers by their maintaniers.

HSTS Preload will prevent initial-access downgrade attacks for clients using
versions of browsers with your domain as a HSTS preload. The downside is
preload removal is difficult and would take a fair while to propogate.

Also another common misconception is disabling port 80 will remediate the
issue - if an attacker can intercept and modify traffic they are able to open
and redirect the port to a node under their control.
[https://letsencrypt.org/docs/allow-
port-80/](https://letsencrypt.org/docs/allow-port-80/)

------
Terretta
From 2016:

"95% of HTTPS servers vulnerable to trivial MITM attacks"

[https://news.netcraft.com/archives/2016/03/17/95-of-https-
se...](https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-
vulnerable-to-trivial-mitm-attacks.html)

HSTS making progress...

------
byuu
Still doesn't solve the first-request problem. When can we start using DNSSEC
to help prevent DNS hijacking in the first place?

~~~
shawnz
The preload option is supposed to solve the first-request problem

~~~
SahAssar
It's not feasible to use preload on a wide scale. Do you think that every
secure site should have to be included in the source of your browser to have
security?

------
faeyanpiraat
Do i remember correctly that Chrome wanted to deprecate HSTS about a year ago?

What happened with that?

~~~
recrudesce
You're thinking of HPKP

[https://raymii.org/s/blog/Chrome_68_is_deprecating_HPKP.html](https://raymii.org/s/blog/Chrome_68_is_deprecating_HPKP.html)

~~~
kadoban
Which is a shame really. I understand why they're doing it, it's stressful as
hell to configure, since if you do it really wrong you might as well just
write off your domain name, but the extra assurance was nice.

~~~
vbezhenar
IMO browsers should just use TLSA records instead. They already starting to
use DoH, so DNS is secure even without DNSSEC.

~~~
xorcist
It's less bad, but far from secure seeing it is not end-to-end encrypted.

~~~
vbezhenar
A simple solution is just to forbid http altogether. No properly encrypted
HTTPS connection - no website, sorry (unless you downloaded some kind of
firefox developer build). But we're not there yet.

