[tor-mirrors] HSTS for a tor mirror

Dave Warren dw at thedave.ca
Tue Jan 2 22:10:22 UTC 2018

On 2018-01-02 05:39, Alain Wolf wrote:
> So I figured it might be left as an exercise to the user to disable HSTS
> in his browser. Because if he lives or works behind such a proxy he will
> be barred from more then half of the worlds websites by the end of the year.

It also occurs to me that a user who is blocked from using HTTPS won't 
see the HSTS header delivered over HTTPS at all. Therefore as long as 
you don't force a redirect from HTTP to HTTPS for your mirror's 
hostname, the mirror should more or less "just work" even for users who 
1) honor HSTS, and 2) have previously visited your bare domain or www.

Users who can't use HTTPS will likely (hopefully?) be aware of how to 
disable HSTS, although it would be a shame if the technical knowledge to 
reconfigure one's existing browser became a requirement to download Tor.

Either way, I doubt a couple of mirrors make much difference, but I feel 
it's worth discussing the relative merits as though all mirrors were to 
make changes.

More information about the tor-mirrors mailing list