Re: Fetching http:// URIs over TLS by default

Nick Harper <> Fri, 20 September 2019 22:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A1973120808 for <>; Fri, 20 Sep 2019 15:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.499
X-Spam-Status: No, score=-10.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dAPT6lrFsfRp for <>; Fri, 20 Sep 2019 15:38:41 -0700 (PDT)
Received: from ( [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B493112023E for <>; Fri, 20 Sep 2019 15:38:41 -0700 (PDT)
Received: from lists by with local (Exim 4.89) (envelope-from <>) id 1iBRVg-0003xf-Qn for; Fri, 20 Sep 2019 22:36:16 +0000
Resent-Date: Fri, 20 Sep 2019 22:36:16 +0000
Resent-Message-Id: <>
Received: from ([2603:400a:ffff:804:801e:34:0:4f]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <>) id 1iBRVd-0003wx-Qq for; Fri, 20 Sep 2019 22:36:13 +0000
Received: from ([2607:f8b0:4864:20::334]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <>) id 1iBRVc-0001Z7-K1 for; Fri, 20 Sep 2019 22:36:13 +0000
Received: by with SMTP id 67so7535313oto.3 for <>; Fri, 20 Sep 2019 15:35:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s2VWxBWZt0bTKA7F7naY6mIMBC7wS/1nWh2CQHyc52M=; b=gJLlcYjzP6c6r7t4G8Y9HcQl4HyIwu22bQJUmURtW5j5Ilcm6pnXF6BmhkhVcVwTx0 dli0axqcE4xpofrNgM1p9o11wIoiEdN5yds+GGshRfiKxXWpGh2AieDdLbv7uYOVnJ9a HzWr62Sg5N4MUHzx5ybpN1cDgwzH4b+ANusvnPjKNZsRPpkEAb3zRNNGE9HYHUI5lUc5 bW8voSEcfTAjfS4Md/xOL5rY8CpUIc6lEKbSndBxJEBKBeBet0sFDZpULe2LY7OmH++S unBWqgtF1Pvup704nGlkj7lpVftrFKHejc4KbqqGVyhKMkzh+NT+ugzzeQePKA0iidq+ NNTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s2VWxBWZt0bTKA7F7naY6mIMBC7wS/1nWh2CQHyc52M=; b=YhSXWxkLPrqcXe6Jue7oMiQ4KaulGv7oYJ/BD04Cto6i/3k2e3XQgt6uIEJWIUY/a5 xax0xQgxMS5Xx7BzyOZPQiq8q24HUp0A1uPqtWrdvd2ergDk1xcxM7fDtLsa/WiZhLnN xxa5fJg7PsKRQR0M4uhQSCzBsAwkLqUgqZhxOe5FtJBUTqJqqgXP9qf6Ugh6QmABvxUc ZkRhOzaMSTRyJKghLqrilCVO+4iouOyc8i3Ng+g6riU49ArQnGAfQJuHZxEsBkOjl7rH 8luUFrsUozoYFKNkFIV0AIMbSIvMCoVLTUobmTmDmR77nGjEcqcltoPUAT9iWoaC2vwg JezQ==
X-Gm-Message-State: APjAAAVC8SXQEKJAM2iOX4pvx2euGNTbcyFEgWOcaQgL8poC2WGj0iVT 90W9Wr5A2pDs8lPnDcNxeYVNytX7mOtz0qFq24e6aA==
X-Google-Smtp-Source: APXvYqwFYxMdlSng6/PFPxtuWeXVssyAZ9KoS5zMW2c0ZXkY4z1tNFCjor33fOHhbTzL/3yjkC65dNVRZWO9DTggGEQ=
X-Received: by 2002:a9d:1428:: with SMTP id h37mr13609821oth.14.1569018950483; Fri, 20 Sep 2019 15:35:50 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Nick Harper <>
Date: Fri, 20 Sep 2019 15:35:39 -0700
Message-ID: <>
To: Rob Sayre <>
Cc: David Benjamin <>, " Group" <>
Content-Type: multipart/alternative; boundary="00000000000030f151059303b1dd"
Received-SPF: pass client-ip=2607:f8b0:4864:20::334;;
X-W3C-Hub-Spam-Status: No, score=-19.6
X-W3C-Scan-Sig: 1iBRVc-0001Z7-K1 e78229f0b000c2b5b83f30bf28283689
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <>
X-Mailing-List: <> archive/latest/37028
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> 2) Allow domains to opt-in to HSTS out-of-band, like in software updates
>>> for an OS. This idea seems intriguing, because it would seem to improve
>>> security as participants join, unlike a TLS trusted-root store.
>> The HSTS spec suggests doing this as a the pre-load list and indeed
>> browsers ship just that.
> They do--I've seen the static list built into Chrome. It seems like the
> list should be global, because the lists didn't seem to match on some
> important sites. Browsers did record the HSTS data after one visit, but
> clearing browsing data seemed to reverse this in some cases.

As far as I know, every browser that ships an HSTS preload list bases it
off of the one maintained at Different browsers have
different criteria for what exactly to include and may revalidate that a
domain meets the requirements for inclusion (or meets additional
requirements than the Chromium requirements). The update cycle for
different browsers also impacts which version of the list is in use, but
ultimately I'd expect all browsers to have approximately the same list.