Thanks Eric! It seems like I accidentally took this thread off-list. I think the summary for everyone else is: HSTS on omniti.com accidentally trickled down to omnios.omniti.com, affecting visitors who loaded up omnios.omniti.com at just the right (wrong) time. HSTS headers should have been fixed now.
2016-04-25 20:46 GMT+02:00 Eric Sproul <[email protected]>: > Hi Jacob, > The OmniTI folks did roll out HSTS recently, but (as I'm sure many > others have) quickly realized that including all subdomains wasn't > feasible. They now no longer set that for omniti.com, and have set > the max-age parameter to 1 second. I'm not sure how you go about > clearing the HSTS info from your browser, but if you do that, you > should be good. > > Eric > > On Mon, Apr 25, 2016 at 10:35 AM, Eric Sproul <[email protected]> > wrote: > > On Mon, Apr 25, 2016 at 10:26 AM, Jacob Vosmaer <[email protected]> > wrote: > >> Thanks Eric. > >> > >> I am not using HTTPS Everywhere. According to > chrome://net-internals/#hsts > >> omnios.omniti.com my Chrome thinks omnios.omniti.com wants 'Strict > Transport > >> Security'. > >> > >> static_sts_domain: omniti.com > >> static_upgrade_mode: STRICT > >> static_sts_include_subdomains: true > >> static_sts_observed: 1461128400 > >> > >> That timestamp is about five days ago. Could it be that OmniTI > temporarily > >> deployed HSTS and I got unlucky? > > > > Interesting... I'll ask my OmniTI colleagues. > > > > Eric >
_______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
