11 comments

[ 5.3 ms ] story [ 42.7 ms ] thread
How long before browsers default to HTTPS-first, so they don't have to carry around a hefty preload list?
How long until websites stop hosting broken HTTPS sites with certificate errors? Same answer.

I use HTTPS Everywhere, you'd be surprised how many sites are broken by default in HTTPS.

Hackernews is one of them. I'm showing broken https in Chrome (43.0.2357.130).

"This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private."

I am unable to reproduce. I am seeing SHA256. Are you being MitM-ed perhaps by your employer/school?
We'll need to see the certification chain. I agree with the other commenters this is suspect; not seeing any SHA-1 certs in the chain either.
I just tried on my MacBook pro on another network, and don't see the warning now. I'll need to go back to my iMac and find the certificate chain.
I just tried on my MacBook pro on another network, and don't see the warning now. I'll need to go back to my iMac and find the certificate chain.
That's odd; the certificate I'm seeing for news.ycombinator.com has a SHA-256 signature, and the Qualsys test agrees.
"Be aware that inclusion in the preload list cannot really be undone. You can request to be removed, but it will take months for the deleted entry to reach users with a Chrome update and we cannot make guarantees about other browser vendors."

So basically once you submit it your domain is forever HTTPS on Chrome? I'm sure there are cases that might warrant HTTP. Mostly though the cases I am coming up with are mostly testing or implementation speed. It is generally easier to stand up HTTP than HTTPS. At least for now until Lets Encrypt is standard.

So basically once you submit it your domain is forever HTTPS on Chrome?

Yes, and Firefox too since they share the preload lists.

Mostly though the cases I am coming up with are mostly testing or implementation speed. It is generally easier to stand up HTTP than HTTPS. At least for now until Lets Encrypt is standard.

That sounds more of an issue for new domains, rather than established ones, no? I mean once you set up an inverse proxy like nginx to handle the HTTPS side, that should disappear.