search

mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.86k stars 170 forks source link

HSTS minAge does not follow the https://hstspreload.org guideline #232

Open floatingatoll opened 7 years ago

floatingatoll commented 7 years ago

https://hstspreload.org notes that the minimum value for HSTS age headers should be 18 weeks, whereas Observatory goes with half a year. It would be worth changing Observatory to match the 18 week requirement instead, so that websites that follow https://hstspreload.org guidelines aren't penalized for doing the right thing.

(Copied from @pomax's original request at mozilla/http-observatory-website#96.)

floatingatoll commented 7 years ago

The original request has some conversation about whether or not it's us or hstspreload.org that needs to change.

april commented 7 years ago

I should note that the 18 weeks is simply a (legacy) prerequisite for getting on the list, it's not a recommendation for what sites should use (which is two years). Once it's preloaded, the 18 weeks thing is essentially irrelevant anyways.

What I should really be doing is updating the HSTS test to require two years, but I'm afraid of all the complaints, as six months or a year is the most common configuration. So maybe I'll do +1 for two years and leave the minimum as six months for now.

CC'ing @lgarron in case he has any strong opinions on the matter.

floatingatoll commented 7 years ago

I would happily accept HSTS is more than 18 weeks but less than 2 years [-1] rather than the [0] I get for it today.

On Tue, Apr 25, 2017 at 11:53 AM, April King notifications@github.com wrote:

I should note that the 18 weeks is simply a (legacy) prerequisite for getting on the list, it's not a recommendation for what sites should use (which is two years). Once it's preloaded, the 18 weeks thing is essentially irrelevant anyways.

What I should really be doing is updating the HSTS test to require two years, but I'm afraid of all the complaints, as six months or a year is the most common configuration. So maybe I'll do +1 for two years and leave the minimum as six months for now.

CC'ing @lgarron https://github.com/lgarron in case he has any strong opinions on the matter.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/http-observatory/issues/232#issuecomment-297129940, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFqDC2K1_Hpfut-2Xfkj-PDfxlHNhyoks5rzkElgaJpZM4NH53I .

lgarron commented 7 years ago

If we update the requirements for hstspreload.org this year, the minimum age will probably go up to 1 or 2 years. Still waiting for @agl to weigh in on https://crbug.com/692348

floatingatoll commented 6 years ago

https://crbug.com/692348 (raise max-age cap to 2 years) was abandoned. @april, do you still think a bonus is appropriate for 1 year?