What browser are you using that you are not redirected to https://yc.dev?
>Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.)
I think it'd be better to use an out-of-date list instead of nothing; I should go push for that again.
(2) is not really a concern any more, (3) occasionally becomes a concern, (1) is a concern for most of the web, and (4) is a concern for literally every use of HSTS.
The whole point of HSTS is to ward off man-in-the-middle. If all a man in the middle has to do is wait, and is eventually guaranteed a shot at exploiting you, they will. So all HSTS gives you is the small hedge that if an attacker is present, but not persistent, and not targeting you specifically, you're slightly more secure.
Basically, it only protects you if a random hacker is sitting in a coffee shop you don't normally go to, and only if your browser is up to date, and only if every site you want to visit uses HSTS, and only if you've visited them before. It's so incredibly specific that it's almost pointless.
A better solution would be either (A) an extention to the specification to actually support a "secure://" URI prefix, or (B) a proxy or browser mode that only allows valid HTTPS connections. These are user interface fixes, because the entire point of HSTS is to prevent users (and really bad apps, I guess) from accidentally using HTTP.
Also, does that site even work?
Status: google.com is not preloaded.
Status: microsoft.com is not preloaded.
Status: duckduckgo.com is not preloaded.
Status: news.ycombinator.com is not preloaded.
Status: aws.amazon.com is not preloaded.
Status: bankofamerica.com is not preloaded.
Status: capitalone.com is not preloaded.
That doesn't seem like it's enough time. I would expect one year or at least 6 months.
The "About" link at the top links to HTTPS, but it's a 404, because it points to //about instead of /about
I can confirm here in Chrome and Firefox that the URL is rewritten internally to https://yc.dev (which then redirects to https://ycombinator.dev), so no unencrypted traffic is ever sent over the network.