
List of secure websites - btrask
https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json
======
tshtf
Note that adding your site to the HSTS whitelist in Chrome (from which
Firefox, Safari, and Edge will follow) is very easy:

[https://hstspreload.appspot.com/](https://hstspreload.appspot.com/)

~~~
keehun
Thank you for that. I was quite clueless on how this list was put together.

------
tptacek
Better title: "The Chromium Built-In HSTS Whitelist".

Search for "noisebridge", which is right around where all the small sites
start.

~~~
i336_
IMO the HSTS list should have a description field.

------
fivesigma
So all applications to the HSTS preloaded list are hardcoded in that json.

How big will that file get in a few years? Looks like the first addition of
user submitted websites was done over a year ago.

I wonder how ubiquitous HTTP/2 (TLS mandatory) will affect this.

~~~
ktt
TLS is not strictly mandatory in HTTP/2 (see h2c) but even if it was this list
solves another problem - when user types e.g. Google.com in their browser the
initial connection is made via HTTP. Preload list says "if this domain is
typed in address bar go straight to HTTPS, if that's not possible stop the
connection".

------
jakobdabo
I couldn't find a single mainstream media website in this list. Only the
Washington Post and RT are accessible through HTTPS, but no HSTS headers are
provided.

edit: removed acronym

~~~
buro9
I don't know what MSM is.

But if they are a group doing media and content websites, HSTS and full SSL
are still hard to accomplish due to the advertising industry dragging it's
collective feet and knuckles.

------
nodesocket
It it me, or does a hard-coded json file that is manually maintained and
compiled-in seem like a terrible idea?

Couldn't Chrome just phone home to a secure server to retrieve HSTS data every
once and awhile (just like updates).

~~~
ktt
Then the attacker could just block the update servers.

