Em janeiro 19, 2017 23:05 Giancarlo Razzolini escreveu:
I plan to wait another week before moving on to adding archlinux.org domain to the preload list.
Hi all, As one week was passed, and no objections were made, the archlinux.org was just added to the preload list [0][1]. It takes some time for the change to propagate through versions, but usually the next major version of Chrome (and possibly Firefox), will contain the inclusion. On the past couple of weeks I tried to find STS preload usage outside of browsers, and I found none. wget seems to respect HTST header, but it doesn't use preload as far as I can tell. curl doesn't seem to have much (any?) documentation on the subject, and I don't see any evidence for preload lists on either their source and our package of it. Anyway, from now on, every http service will *have* to be served through TLS. We have our certs being renewed automatically, so it shouldn't be an issue. If we ever need to disable preload, it will need to be done months before any usage of plain http service. And even then, some users that do not update their browsers regularly, won't be able to access anything under archlinux.org. Cheers, Giancarlo Razzolini [0] https://git.archlinux.org/infrastructure.git/commit/?id=9beccb72d1e6e26593484ddb2c7bf642ea9446d2 [1] https://hstspreload.org/?domain=archlinux.org
pgpph2e8_ol6h.pgp
Description: PGP signature
