On 7 February 2016 at 05:10, Mirco Bauer meebey@meebey.net wrote:
[Reply inline]
Am 06.02.2016 3:43 nachm. schrieb "Martijn Grooten" martijn@lapsedordinary.net:
On Thu, Feb 04, 2016 at 03:36:44PM +0000, Alec Muffett wrote:
Perhaps only issuing the header to people who access from an exit node, might reduce that cost?
Even so, and especially then, this sound like an easy way for someone operating a rogue exit node to get persistent MitM on non-HTTPS sites.
So accept this header just on https connections and all is well.
Agreed, this is how applying most security headers work (HSTS, HPKP). Instead of defining a new header why not use Alt-Srv? I'm not sure of it's status, but it was explicitly made for advertising other methods of contacting a service.
-tom