[HTTPS-E Rulesets] Suggested ruleset for new HTTPS site
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 5 09:52:25 PST 2015
On Thu 2015-02-05 11:12:29 -0500, Joakim Walldén wrote:
> Not to argue against adding a ruleset, but the domain is in the HSTS-list¹,
> so the browser will not try to connect to it insecurely.
>
> ¹
> https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
Ah, i hadn't seen that it was in the preload list already, that's more
than just "supports HSTS" :)
is there a policy about how https-everywhere interacts with the preload
list?
for browsers that use the preload-list, an https-e plugin doesn't need
to worry about those sites. For browsers that *don't* use the
preload-list, you'd want that preload list to be embedded in httpse
automatically, no?
I guess both chromium and firefox support the preload list these days,
so maybe that means it's not necessary? but it would be a shame for
someone to take the httpse dataset (e.g. for something like a local
proxy service) and *not* include things that happened to be in the
preload list.
--dkg
More information about the HTTPS-Everywhere-Rules
mailing list