Once submitted the next releases of the browsers will include bitcoin.org in the HSTS Preload list and no one could load bitcointalk.org via HTTP again.
Why not simply disable HTTP endpoint from the server?
Topic: Enable HSTS Preload in bitcointalk.org domain to avoid MITM attacks (Read 709 times)
Why not simply disable HTTP endpoint from the server?
August 22, 2016, 01:52:22 AM
@theymos 
August 18, 2016, 07:25:28 AM
At present, the bitcointalk.org domain sends this header
Strict-Transport-Security: max-age=3000000
This header is also known as HSTS, it tells the browser to only connect using HTTPS for the next 34 days.
The problem appears when the client is visiting bitcointalk.org for the first time (or in incognito mode, or has deleted cache, etc.) The browser does not know that has to use HTTPS to browse to bitcointalk.org so when the user types the domain in his browser he will be connecting to http://bitcointalk.org instead of https://bitcointalk.org. If the network is being attacked he will be downloading malware instead of Bitcoin software.
How to fix it:
Add the includeSubDomains and preload directive to the header sent.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Then just submit bitcointalk.org domain to the HSTS Preload list in Chrome, Firefox and IE. This can be done easily just by clicking this link:
https://hstspreload.appspot.com/?domain=bitcointalk.org
Once submitted the next releases of the browsers will include bitcoin.org in the HSTS Preload list and no one could load bitcointalk.org via HTTP again.
As an example, bitcoin-related websites already using HSTS preloading include Coinbase, Coinapult, Bitgo, Localbitcoins, bitcoin.de, blockchain.info, GDAX and Multibit.
Strict-Transport-Security: max-age=3000000
This header is also known as HSTS, it tells the browser to only connect using HTTPS for the next 34 days.
The problem appears when the client is visiting bitcointalk.org for the first time (or in incognito mode, or has deleted cache, etc.) The browser does not know that has to use HTTPS to browse to bitcointalk.org so when the user types the domain in his browser he will be connecting to http://bitcointalk.org instead of https://bitcointalk.org. If the network is being attacked he will be downloading malware instead of Bitcoin software.
How to fix it:
Add the includeSubDomains and preload directive to the header sent.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Then just submit bitcointalk.org domain to the HSTS Preload list in Chrome, Firefox and IE. This can be done easily just by clicking this link:
https://hstspreload.appspot.com/?domain=bitcointalk.org
Once submitted the next releases of the browsers will include bitcoin.org in the HSTS Preload list and no one could load bitcointalk.org via HTTP again.
As an example, bitcoin-related websites already using HSTS preloading include Coinbase, Coinapult, Bitgo, Localbitcoins, bitcoin.de, blockchain.info, GDAX and Multibit.
Jump to: