Erik van Straten<p><span class="h-card" translate="no"><a href="https://framapiaf.org/@pmevzek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>pmevzek</span></a></span> : all those "terrific" new Google HSTS preload TLD' s [1] do one terific job for sure: facilitate cybercrime by confusing all but expert internet users.</p><p>They were created for purely commercial purposes. Say someone has registered "microsoft.com". Now *YOU* have the possibility to register "microsoft.dev"! Unless another criminal is faster than you, or Microsoft, or a registrar who speculates that they can resell it for a higher price. Guess who wins most and who gets to pay in the end. It is sick.</p><p>[1] <a href="https://www.thesslstore.com/blog/google-forcing-https-connections-45-tlds-hsts/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">thesslstore.com/blog/google-fo</span><span class="invisible">rcing-https-connections-45-tlds-hsts/</span></a></p><p>W.r.t. the supposed advantage of https over http: It is irrelevant if a connection to a criminal website (usually impersonating a real one) uses http or https.</p><p>To reduce the risks when deciding to trust a website, an internet user (who understands the necessity) needs to know at least the following things:</p><p>(1) Who apparently *owns* a website;</p><p>(2) The probability that the owner is who they claim te be.</p><p>Big tech deliberately frustrates this process using lies: see <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> for more info.</p><p>Apart from junk-TLD's, the "good old" TLD's are *not* on the HSTS preload list. For added security each .com (and a zillion other TLD's) websites would have to register to the preload list - which does not scale.</p><p>To be honest, HSTS has a slight advantage in most (or all?) browsers: *if* the browser "knows" that a website insists on the use of https, any certificate warning becomes a fatal error (the user cannot tap "connect anyway" or something like that).</p><p>*IF* that is a good idea in each and every case, then browsers could enforce this *without* HSTS (with or without preload). Or permit bypasses in specific cases, such as that a certificate has expired - for example limited to 1 week.</p><p>Anyway, everyone could do me (not just me b.t.w.) a big favor if they'd stop promoting flawed alternatives to "https only".</p><p>And, an even bigger favor, that everyone stops defending the one-size-fits-all way how browsers treat certificates. Their makers do their very best to eliminate the possibilities that internet users have to distinguish between websites with known versus unknown (anonymous) owners.</p><p>Note: knowing who owns a website does not warant reliability. However, not knowing who owns a website may mean that the owner *does no want you to know* who they are. Guess why.</p><p><span class="h-card" translate="no"><a href="https://hachyderm.io/@lucasmz" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>lucasmz</span></a></span> <span class="h-card" translate="no"><a href="https://social.security.plumbing/@freddy" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>freddy</span></a></span> </p><p><a href="https://infosec.exchange/tags/HSTSpreload" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HSTSpreload</span></a> <a href="https://infosec.exchange/tags/HSTS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HSTS</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/http" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>http</span></a> <a href="https://infosec.exchange/tags/WebsiteOwner" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebsiteOwner</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/BigTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTech</span></a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberCrime</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a></p>