SSL rather TLS has been available to all after Let’s Encrypt (project is certbot now) project became usable. In This Article We Have Explained Real Life Matters Around HTTPS Everywhere Atlas Vs HSTS Preload List For the WebMasters and Developers. We talked around Nginx configuration for HSTS, but with time things need update.
HTTPS Everywhere Atlas Vs HSTS Preload List in 2017
HTTP Strict Transport Security (HSTS) is an IETF standards track protocol or security policy which is described in RFC 6797 :
The methodology helps to prevent protocol downgrade attacks, prevents some wireless sniffing toolkits, prevents cookie hijacking, allows web servers to declare forcing rules like never to use the insecure HTTP protocol, can fix types of man-in-the-middle attacks. A determined attacker can impersonate a user’s DNS server or wireless network by spoofing. These are important weak points to close by the financial institutions like the banks.
That RFC 6797’s section 5.3 talks about HSTS Policy Storage and Maintenance by User Agents. From that thing, previously two important lists were for the websites – HTTPS Everywhere Atlas and HSTS Preload List.
HTTPS Everywhere is a collaboration between Tor Project and Electronic Frontier Foundation. Webmasters essentially need to create a XML ruleset and submit to the GitHub project :
HTTPS Everywhere was a free and open source browser extension for Google Chrome, Mozilla Firefox and Opera, which is developed collaboratively by The Tor Project and the Electronic Frontier Foundation. HSTS Preload List is a collaboration between different browsers. Webmasters simply need to submit site here :
Now often webmasters get confused where to submit to become in preload list – at HTTPS Everywhere Atlas or HSTS Preload List or Both. Answer is HSTS Preload List. The reason is :
Websites like us were both listed on HSTS Preload List and HTTPS Everywhere Atlas. But now, HTTPS Everywhere kicking out the domains which are already on HSTS Preload List. HTTPS Everywhere Atlas simply need HTTP version of the site which becomes impossible if the site is HSTS Preload listed. You can read the screenshot of conversation as comments on pull request :
Original URL here :
If you were HTTPS Everywhere Atlas listed plus HSTS Preload Listed, HTTPS Everywhere has kicked you out with the new policy. The odd conversation is out of not knowing it. There is an old but informative PDF :