On Sun, 21 Oct 2012 22:32:07 +0200 Thomas Bächler <thomas@xxxxxxxxxxxxx> wrote: > Out of curiosity, what is the motivation for this change? I wonder too, if you have some server side PHP or cgi, then enforcement is far better via a persistent redirect, MITM is not prevented in either case. From experience of a friend of mine having boot trouble with linux fsck, (a problem OpenBSD does not have) with a dead laptop and bios battery. Any machine with a wrong clock (many more than you think, despite ntp) will be denied service with little gain in security over a PHP enforced redirect (except making the attacker proxy no ssl or a similar rather than same domain, you could argue a smaller window after first connect but considering the constant exploits for browsers and a MITM, does it buy you anything except deny some users access when pacman uses gpg). SSL RFCs knew this and state that except for higher level protocols standard SSL does not require a correct clock. I won't deny any customers access to my sites for the sake of HSTS, in any case. If the data about lost customers is discovered by the likes of Paypal, I will expect it to be promptly switched off or modified for compliance like the terrible DNSSEC saga.
