On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <[email protected]> wrote:
> Hi Jeff, > > thanks for sharing. Good paper and interesting read. > > Even though things are slowly picking up in adoption, a bit > disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a > personal note: this is consistent with my personal anecdotal experience: > as part of overall secure development training, I also mention HSTS to > developers a couple of times per year, and so far nearly none of them > used it before…) My anecdotal evidence is that I tried to promote it at the company where I work. We sell (among other things) an SSL-VPN gateway. That is pretty much a pre-packaged web server, configurable to provide access to company resources such as email, ERP and whatever else employees need over a web interface. At first this looked to me like a great candidate for HSTS - it’s only HTTPS, no HTTP. It’s pre-packaged, so we could add it without the administrators needing to do any work. In the end, what killed the idea was what happens when certificates expire or when a valid certificate is replaced by an almost-valid certificate (missing alternate name). The administrators of our products run the gamut from IT professionals who have been through our administration courses all the way to the CEO’s nephew who’s really good with computers (‘cause he’s got his own Facebook profile and everything). We felt it was too risky to just ship the server with HSTS on. It’s still possible to turn it on by editing some Apache configuration files, but you really want security to be on by default. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
