Virtual Newsletter about Software Freedom

March 2, 2025

HSTS: Another "Solution" that isn't actually helpful.
-----------------------------------------------------

APT reverse shells are only causable if someone gets root access to modify that folder.
But HTTP is much easier to eavesdrop on or send incorrect requests.
The router can do this.

The solution?
HTTPS.
It isn't perfect, but it's better than nothing.
HTTPS makes all connections encrypted.
Basically it's just HTTP+TLS.
Now there are some problems as I said, for example certificate trust.

But for SOME REASON the IETF decided that that's not enough.
So they added HSTS.
HSTS is a header that says to only use HTTPS, with an expiration time.
This is okay, as it allows the browser to know that it has HTTPS.

The problem with HSTS is the preload list.
This is a list of sites that are preloaded with HSTS.
This list is maintained by Google and Mozilla.
It sucks because the user doesn't have a choice.
They can't turn it off or change it.

The RFC for HSTS says that the browser MAY NOT bypass the HSTS.
This means that the user is not in control, but the browser is.
It's not a very good idea.

HSTS is not helpful, it is an anti-feature to HTTPS.
I have HSTS disabled on my website, and I hope that browsers stop caring about it.

- NexusSfan

---
Copyright (c) 2025 NexusSfan
Except where otherwise noted, this work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License
A copy of the license is included at https://creativecommons.org/licenses/by-nd/4.0
---