Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

HSTS only works if you have visited the site before or it is hard coded (see Chrome and Google services for example).

Reality is that DNS remains and will continue to remain a giant hole in TLS.




All major browsers implement HSTS preloading, and getting added is quite simple. A very large percentage of your average internet user's traffic is covered by this.


Preloading is a problem waiting to happen. It works fine when only a small portion of the internet uses it. But when you have 2 GB preload file with a few billion entries things are not going to work so well.


The idea is to make HTTPS the default before that happens. In the meantime, you can fit a lot of domains into bloom filter-like data structures.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: