On Nov 5, 2013, at 6:45 PM, Marco Davids (Prive) <mdavids@xxxxxxxxxx> wrote: > On 11/5/13 6:39 PM, Joe Abley wrote: >> On 2013-11-05, at 18:21, ned+ietf@xxxxxxxxxxxxxxxxx wrote: >> >>> not every tool out there supports https. >> That seems like the kind of thing we want to change (security as an afterthought vs. security as a fundamental requirement). >> > Enabling 'HTTP Strict Transport Security' (HSTS, RFC6797) might be a > good first step. HSTS means that HTTP is off (or just redirects you to HTTPS). The first S stands for "strict" and we mean it. :-)