[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Pools & HSTS header
|
From: |
William Hay |
|
Subject: |
Re: [Sks-devel] Pools & HSTS header |
|
Date: |
Thu, 2 Jun 2016 20:25:28 +0100 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote:
> Hi,
>
> I enforce HTTPS on all my domains by sending the HSTS header to my
> visitors. HSTS forces the browser to use in future only secure
> connections to this domain. More info on Wikipedia[1] :)
> Since my keyserver could be added to pools of keyservers without any
> notice to me. It could be possible that some servers will send these
> kind of headers on pool domains too.
>
> Did I miss there something or could this really lead to problems? :)
AIUI HSTS only works if the header is received over an https connection
not an http one. Unless you have a cert in the name of one of the pools
then anyone trying to connect to the pool who ends up connecting to your
server will not get far enough to see the HSTS header because of a name
mismatch.
I believe the only pool Kristian issues certs for is the hkps pool
where https is required and said certs are not recognised by most
browsers in any case.
You presumably won't have asked other CAs for certs to pools you have
been added to without your knowledge.
The only risk I can see is if you explicitly configure the pools on your
web server then request a cert from your CA on autopilot (say ACME
protocol) and the CA grants it (unlikely with ACME as the attempt to check
for proof will likely go to another server).
William
signature.asc
Description: Digital signature
- Re: [Sks-devel] Pools & HSTS header,
William Hay <=