: Removal from HSTS preload list? A client has moved their website to another provider who does not support secure (HTTPS) browsing. The previous site was served over HTTPS and sent HSTS headers
A client has moved their website to another provider who does not support secure (HTTPS) browsing. The previous site was served over HTTPS and sent HSTS headers and was included on the Chrome HSTS preload list, so many browsers automatically attempt a redirect to HTTPS, resulting in an error.
Chromium "Issue 467486: Remove website from HSTS list" highlights one specific website that required a whole discussion with developers to be removed. Is raising an issue to the Chromium team the only method to request removal?
More posts by @Lee4591628
1 Comments
Sorted by latest first Latest Oldest Best
The idea with HSTS is that you make sure that HTTPS is even enforced and thus the user is protected against attacks like sslstrip which try to downgrade the connection of the user to insecure HTTP.
This means using any of this options shows a huge commitment to the security of the user and that you probably have sensitive data to protect. Insofar it is very strange that your client now feels that SSL is not needed any more.
But, to get back to connections with no SSL the client must wait until the time specified in the HSTS max-age attribute is over. And with preloaded HSTS it must first make sure that the entry is removed from the browsers code itself (i.e contact the developers) and then must wait until everybody upgraded the browser to the newer version which does have the HSTS entry any longer. For all the time the client should better still be reachable by HTTPS. And this can take month. From hstspreload.appspot.com/:
Be aware that inclusion in the preload list cannot really be undone. You can request to be removed, but it will take months for the deleted entry to reach users with a Chrome update and we cannot make guarantees about other browser vendors. Don't request inclusion unless you're sure that you can support HTTPS for the long term.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.