top | item 27364385

(no title)

I'm glad I saw this comment - What can make a site perform like that?

At work we use Chrome as our general browser, and we've had several issues with expired certs before. Some websites allowed you to expand the box and opt "Continue" but some simply didn't have the option. Whats the difference?

discuss

bmcahren|4 years ago

HTTP Strict Transport Security (HSTS) is enabled at the DNS level which tells modern browsers "I'm a modern website and want to only be served on valid certificates, otherwise refuse to allow access to my website because something must be very wrong for this to happen".

The assumption is "must be very wrong" is an attack you don't want people to "continue" past. Occasionally it bites back like this if you don't maintain your certificates.

Offering HTTP transport invites attackers to inject advertisements, malware, or viruses into your packet stream. ISP like comcast and ATT are notorious for doing this.

Allowing falsified or expired certificates invites attackers as well.

HTST This is a good thing.

Dylan16807|4 years ago

DNS? You announce it with a header or get on the preload list. I don't think there's a DNS method.

eropple|4 years ago

Sites can opt into "do not let somebody continue if the cert is bad" via HSTS.