[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Pools & HSTS header
|
From: |
Christoph Egger |
|
Subject: |
Re: [Sks-devel] Pools & HSTS header |
|
Date: |
Fri, 03 Jun 2016 16:49:57 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
William Hay <address@hidden> writes:
> On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote:
>> Hi,
>>
>> I enforce HTTPS on all my domains by sending the HSTS header to my
>> visitors. HSTS forces the browser to use in future only secure
>> connections to this domain. More info on Wikipedia[1] :)
>> Since my keyserver could be added to pools of keyservers without any
>> notice to me. It could be possible that some servers will send these
>> kind of headers on pool domains too.
>>
>> Did I miss there something or could this really lead to problems? :)
>
> AIUI HSTS only works if the header is received over an https connection
> not an http one. Unless you have a cert in the name of one of the pools
> then anyone trying to connect to the pool who ends up connecting to your
> server will not get far enough to see the HSTS header because of a name
> mismatch.
Well.
http://pool.sks-keyservers.net(:11371)? --redirect-->
https://keyserver.siccegge.de
And if keyserver.siccegge.de present a valid certificate + HSTS would be
a problem no? (and potentially undetected if the pool script mainly
checks API pages)
Christoph
--
9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731
Debian Developer | Lisp Hacker | CaCert Assurer