– HTTPSing me softly
273 words, ~2 minutes
EDIT: the demo is no longer available.
I spent a while today morning making a proof-of-concept-ish of soft HTTPS enforcement without JavaScript.
You might look at it and think it’s completely idiotic and ask why would anybody want this, but I have a Nokia E51 and I constantly run into websites that force HTTPS on everything and my phone doesn’t understand either TLS or SNI (can’t remember) so the only thing that works for me is Google, not even Wikipedia.
Imagine an empty CSS file at /.well-unknown/cryptolocker
with HSTS and immutable
in Cache-Control
. Place <link rel="stylesheet" href="https://yourdomain/.well-unknown/cryptolocker">
in your documents. Once this CSS loads, the whole domain will pick up HSTS from it, but only if the browser was capable of loading it at least once.
I have had a version of it running at harbringer.meekchopp.es if you’re interested, and here’s the nginx config it took to build.
|
|
Among important things to remember is the fact that nginx’s add_header
is only inherited from server
by location
(and other combinations) if there are no such instructions at current level, so the repeated HSTS line is fully intentional.