[tor-mirrors] HSTS for a tor mirror

Alain Wolf tormaster at urown.net
Tue Jan 2 12:39:09 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Valentin

On 31.12.2017 16:31, Valentin Brandl wrote:
> Hi there, > I'm starting to build a mirror for the tor project. The instructions
> page states `Try not to redirect http to https. Many places in the
world > cannot use https due to local or national firewalls`. > > Since
there should be no redirect, should I also stop sending HSTS > headers
when the page is visited via https? Also should or shouldn't I > insert
my site into the HSTS preload list? I was asking myself the same
questions, when I setup my mirror.
Then I found this:

$ curl -is https://www.torproject.org/ | grep Strict-Transport-Security
Strict-Transport-Security: max-age=15768000; preload

Also, my own domain, where the mirror lives under, has
"includeSubdomains" enabled and is on the preload list. So unless I
change my whole domain setup with all its websites, its active anyway on
my mirror.

So I figured it might be left as an exercise to the user to disable HSTS
in his browser. Because if he lives or works behind such a proxy he will
be barred from more then half of the worlds websites by the end of the year.

Or maybe I should setup an entirely different domain with no TLS and
HSTS at all?



-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJaS31tXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1ODMzNjFDQzQ3RjU4RjJGRTVEMzFERUM3
NDk4QUQzNjFFNDA3NzFFAAoJEHSYrTYeQHcewR4P/iwmJUhsHFKsgWS+t09MC0L5
4KNZjpK5iCWaiJnyS0uv3K+WotrQC0neOojqgEX967eiM062pfDeYH6H5BXnGdoj
zfdgbkr+l8CFTh9U0llQoJtbLaVoThLuIB+kzFdxf+9zWbW5DBZOKItw8LulZ3Bs
Hq2LXTFg00V9awQYtX8AfDKGixHKDcvFAVBWEBVHpBfufVII/Y/xc9SFEFHGXkeg
njgAgMM8sZD6GDuTw731801SDgcar4O2eIMS6aLh6F2NYXIhWfDuaLsYI02ZUZkP
riLarIWpiumGiFLyR9dO1nxm+HNE49P150BqD9/dKjW+wxIoHFc425hX6Cct+D0P
fMinzkyOSJBMhW/ztz53dRPdnDGDFMLnxgtYinP/RuOwSmComk1rfzz4cMO+6OER
+Y45tJMpaIts7vmj28ZOqokGomR3PIZotxRJWag8vNKWAlEiRuu3vplJqGQe6ORI
vJp8rjp9UFTzmb34Nq9KuHf9sN7/+gPRsM3b6GxTY3WgwD4+YLCKV6YvgeRb/Gf6
98l2Am8HyNacZzKefwc0uz4XieVixiDargm5+zjW0LY+iOdm3h33Y0IFDbHYKgF6
b4unRj84VcpVlj5VcFQRvAnRdQVE4b2H95sD6Hzrbbn9XtDT4mM9wZP0vdQpSqE0
+nryZU2J+fGPI1DSZgfc
=AjGT
-----END PGP SIGNATURE-----



More information about the tor-mirrors mailing list