[tor-mirrors] HSTS for a tor mirror
dw at thedave.ca
Tue Jan 2 22:10:22 UTC 2018
On 2018-01-02 05:39, Alain Wolf wrote:
> So I figured it might be left as an exercise to the user to disable HSTS
> in his browser. Because if he lives or works behind such a proxy he will
> be barred from more then half of the worlds websites by the end of the year.
It also occurs to me that a user who is blocked from using HTTPS won't
see the HSTS header delivered over HTTPS at all. Therefore as long as
you don't force a redirect from HTTP to HTTPS for your mirror's
hostname, the mirror should more or less "just work" even for users who
1) honor HSTS, and 2) have previously visited your bare domain or www.
Users who can't use HTTPS will likely (hopefully?) be aware of how to
disable HSTS, although it would be a shame if the technical knowledge to
reconfigure one's existing browser became a requirement to download Tor.
Either way, I doubt a couple of mirrors make much difference, but I feel
it's worth discussing the relative merits as though all mirrors were to
More information about the tor-mirrors