tm.id.au This site is now HSTS preloaded
As of Chrome 57 – which is not quite out yet – this site will be is automatically ‘preloaded’ over HTTPS – thanks to a new’ish web technology called HSTS.
Everyone knows about SSL, but not everyone (which included me until recently) thought about how SSL can still be thwarted by a well-placed man-in-the-middle attack. Basically, if a user visits a website over HTTP (which is usually the case, because people rarely type in https:// manually) and a man-in-the-middle jumps in, that attacker can change the behaviour of the site or access the data being sent to/from the user before the site has a chance to automatically redirect you to the HTTPS scheme.
HSTS allows sites to specify to the browser that they should always be accessed over HTTPS. Once a user visits the site for the first time, the browser remembers this, and on any subsequent visit will automatically request the HTTPS address no matter what the user types in. This increases security and presents a small time saving, because that first redirect is no longer needed.
This is a great idea, and every website should enable HSTS if they are – and will always be – using SSL. And every website should be using SSL anyway (it’s now free, Google will rank you higher, and it protects your users).
There’s one more gotcha though: what happens if a man-in-the-middle attacks before that very first visit to a site, when the HSTS header is first delivered to and cached in the browser? Enter HSTS preloading: a list maintained by the Chromium project, hardcoded into browsers, which tells browsers to always request certain sites over HTTPS – even if the user has never visited it before. This is some good thinking.
So, even though this site is just a playground and just a blog and really handles no user data that anyone would want to be bothered stealing, it will now be automatically loaded on HTTPS even if you’ve never been here before.
You can see all the sites on the Chrome preload list here, and you can submit your site for inclusion here. If you submit for HSTS preloading, do note that you must ensure your site AND all its subdomains will always be available over HTTPS – otherwise they will become inaccessible to users. If you can’t do this for all your subdomains, you can’t use HSTS preloading, but you can still use HSTS.