And in ten years, I'm sure they'll ban HTTP altogether.
This is unacceptable, IMHO. I was trying to use a site with misconfigured HSTS the other day, and it wouldn't let me. No override, no nothing. That's just offensive. If it gives me a warning, fine. But when it outright tells you, "no I know better than you and I'm going to be smug about it," then this has gone too far.
Browsers are "user-agents," meaning they act on behalf of the user. If they do not do this, they are not browsers anymore.
"If a web application issues an HSTS Policy, then it is implicitly opting into the "no user recourse" approach, thereby all certificate errors or warnings cause a connection termination, with no chance to "fool" users into making the wrong decision and compromising themselves."
12 comments
[ 934 ms ] story [ 1035 ms ] threadThis is unacceptable, IMHO. I was trying to use a site with misconfigured HSTS the other day, and it wouldn't let me. No override, no nothing. That's just offensive. If it gives me a warning, fine. But when it outright tells you, "no I know better than you and I'm going to be smug about it," then this has gone too far.
Browsers are "user-agents," meaning they act on behalf of the user. If they do not do this, they are not browsers anymore.
[1]: https://tools.ietf.org/html/rfc6797#section-12.1
"If a web application issues an HSTS Policy, then it is implicitly opting into the "no user recourse" approach, thereby all certificate errors or warnings cause a connection termination, with no chance to "fool" users into making the wrong decision and compromising themselves."
The standard is idiotic. Which part of "user agent" don't they understand?
In what browser? I'm not aware of any that have no override.