Experimental https is now up on https://musl-libc.org , may go up and down as I tweak things. Official announcement coming soon.
@necrophcodr IMO redirecting to https is near-worthless without HSTS, and HSTS won't be honored by stateless tools anyway.
-
-
@RichFelker@necrophcodr Stateless tools could import the Chromium HSTS preload list just like other browser vendors. It's not that big. -
@CopperheadSec@necrophcodr But that's not stateless, and makes an awful bug to track down (e.g. works for ppl without Chromium installed). -
@RichFelker@necrophcodr I mean the static preload list they ship with the browser based on preload in header: https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json …. -
@CopperheadSec@necrophcodr Ah okay. I thought you meant import from ~/.chromium or whatever.
End of conversation
New conversation -
-
-
@RichFelker@necrophcodr In general, redirect to https is very nice as it instantly informs everybody that https is available. -
@RichFelker@necrophcodr Redirect to https has its value even for a public resource without hsts. -
@RichFelker@necrophcodr It lowers the amount of info logged by ISPs. -
@RichFelker@necrophcodr It also thwarts those ISPs that insert ads into http traffic. (I hope they don't strip https just for ads:-) -
@ch3root@necrophcodr In theory the ISP could fetch the https version themselves and send (mod'd) result over http in place of the redirect.
End of conversation
New conversation -
-
-
@RichFelker I'm not sure how not doing it is any better though, but if you find a better way do post about it.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.