Submit w3id org to HSTS preload list (configuration changes needed)

Question

Submit w3id org to HSTS preload list (configuration changes needed)

athalhammer opened this issue 4 years ago · 0 comments

Dear all,

HSTS preload lists enable to avoid sending the first request as plain HTTP and directly encrypt the first request. This has a lot of security benefits, in particular avoiding man-in-the-middle attacks that target interception of the first request.

It seems that w3id.org is not fit for being submitted to the list that is used by a couple of browsers:

https://hstspreload.org/?domain=w3id.org

So, in my opinion, basically everyone that uses http://w3id.org to refer to their resources could potentially be targeted and users of these URIs could be easy victims on malicious public WIFI etc.

Edit - here a screenshot:

Edit:
So when someone requests http://w3id.org/fraunhofer/lighthouse-projects/evolopro/cirp.ttl, and has never visited https://w3id.org before, this first request will be plain HTTP (tried and tested with wireshark).

Kind regards,
Andreas