It’s a bad idea to encourage sites to preload HSTS unless and until they have automated the certificiate deployment and configuration. Pushing HSTS because it’s “just” a header and an easy win misses that the site operator is committing to ensure “good” HTTPS for that time.
-
Show this thread
-
What if HSTS preloading required you demonstrate you can rotate your certificates to include a challenge within X minutes?
7 replies 1 retweet 36 likesShow this thread
Replying to @sleevi_
Let's see http://google.com do it first.
4:19 PM - 6 Sep 2018
0 replies
0 retweets
4 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.