

Understanding HTTP Strict Transport Security - paukiatwee
http://www.troyhunt.com/2015/06/understanding-http-strict-transport.html

======
Zikes
How long before browsers default to HTTPS-first, so they don't have to carry
around a hefty preload list?

~~~
Someone1234
How long until websites stop hosting broken HTTPS sites with certificate
errors? Same answer.

I use HTTPS Everywhere, you'd be surprised how many sites are broken by
default in HTTPS.

~~~
nodesocket
Hackernews is one of them. I'm showing broken https in Chrome (43.0.2357.130).

"This site uses a weak security configuration (SHA-1 signatures), so your
connection may not be private."

~~~
Someone1234
I am unable to reproduce. I am seeing SHA256. Are you being MitM-ed perhaps by
your employer/school?

~~~
nodesocket
See screenshot:
[http://i.imgur.com/m5sVoPf.png](http://i.imgur.com/m5sVoPf.png)

~~~
gcp
We'll need to see the certification chain. I agree with the other commenters
this is suspect; not seeing any SHA-1 certs in the chain either.

~~~
nodesocket
I just tried on my MacBook pro on another network, and don't see the warning
now. I'll need to go back to my iMac and find the certificate chain.

------
jtchang
"Be aware that inclusion in the preload list cannot really be undone. You can
request to be removed, but it will take months for the deleted entry to reach
users with a Chrome update and we cannot make guarantees about other browser
vendors."

So basically once you submit it your domain is forever HTTPS on Chrome? I'm
sure there are cases that might warrant HTTP. Mostly though the cases I am
coming up with are mostly testing or implementation speed. It is generally
easier to stand up HTTP than HTTPS. At least for now until Lets Encrypt is
standard.

~~~
gcp
_So basically once you submit it your domain is forever HTTPS on Chrome?_

Yes, and Firefox too since they share the preload lists.

 _Mostly though the cases I am coming up with are mostly testing or
implementation speed. It is generally easier to stand up HTTP than HTTPS. At
least for now until Lets Encrypt is standard._

That sounds more of an issue for new domains, rather than established ones,
no? I mean once you set up an inverse proxy like nginx to handle the HTTPS
side, that should disappear.

