[tor-mirrors] HSTS for a tor mirror

Heiko Richter email at heikorichter.name
Tue Jan 2 23:10:22 UTC 2018

Hi all,

correctly configured HSTS enabled hosts don't serve their content over
HTTP; they will *only* serve a 302 redirect to HTTPS. Therefor most of
the discussion is entirely mute. Anybody banned from HTTPS will not be
able to access the contect through HTTP because they will only receive a
redirection to HTTPS. Any HSTS enabled server configured to serve
content over HTTP is *broken*. Therefor the multiple suggestions on the
list about making it a "user exercise" to disable HSTS on their browser
are complete nonsense. Making content available on HTTP and therefor
breaking HSTS is a administrative decision on the server side; there is
nothing users can do to access a correctly configured HSTS enabled
server if they are banned from using HTTPS. Anybody suggesting otherwise
has missed the entire point of HSTS and should read up on the topic
before writing about things they obviously do not understand.

Being someone that travels a lot to third world countries and China I
can tell you that blocking HTTPS completely is a thing of the past
though. The section of the wiki recommending to disable HTTPS and/or
enable HTTP is completely outdated and so is this discussion. Contrary
to public oppinion the administrators of national firewalls know what
they are doing and have information about the world around them. As more
and more domains (espicially the big ones) are moving to HSTS and most
browsers include preload lists most national firewalls have moved to
transparent proxies with SSLBumping. Although the SSLBumping renders the
encryption worthless people behind these firewalls have access to HTTPS
and will be able to download from HSTS enabled mirrors.

The problem of today is not wehter or not users can access files though
HTTPS; it's about wether or not a transparent proxy will recognize the
tor installer for what it is and block its download.


More information about the tor-mirrors mailing list