HSTS preload list pruning
32 views
Skip to first unread message
Joe DeBlasio
Mar 10, 2023, 8:14:43 PM3/10/23
to hsts-d...@chromium.org, Chromium HSTS Preload List
Hi folks. Long time, no emails to this list!
The HSTS preload list has grown quite large, and is growing rapidly. To partially mitigate the size, we expect to remove sites from the list that no longer meet submission requirements. Initial estimates suggest that this will shrink the list by almost half.
hstspreload.org notes that sites must continue to satisfy submission requirements, and while we have not historically done so, the site notes that "sites may be removed automatically in the future for failing to keep up the requirements."
We intend to prune only sites that were added via hstspreload.org and no longer meet their inclusion criteria on at least two occasions, at least two weeks apart, and from at least two different network perspectives.
Sites will only be held to the requirements that they were initially added under. In particular, hstspreload.org used to only require a maxAge of 18 weeks (it's now 1 year), and domains added during this time will only be held to the 18 week requirement.
Removing HSTS preloading should cause no breakage, though for the subset of to-be-pruned domains currently serving valid HTTPS traffic, this does reduce protections against downgrade attacks. Impacted sites can avoid impact by ensuring they meet current inclusion requirements.
We do not presently have an exact timeline for when this pruning will take place; we have some tooling that needs to be built out yet. But this is a big change, and so I wanted to explicitly solicit feedback from the community. Comments, suggestions, concerns, or criticisms, either on-list or directly to me, are welcome.
Best,
Joe, on behalf of the Chrome team
The HSTS preload list has grown quite large, and is growing rapidly. To partially mitigate the size, we expect to remove sites from the list that no longer meet submission requirements. Initial estimates suggest that this will shrink the list by almost half.
hstspreload.org notes that sites must continue to satisfy submission requirements, and while we have not historically done so, the site notes that "sites may be removed automatically in the future for failing to keep up the requirements."
We intend to prune only sites that were added via hstspreload.org and no longer meet their inclusion criteria on at least two occasions, at least two weeks apart, and from at least two different network perspectives.
Sites will only be held to the requirements that they were initially added under. In particular, hstspreload.org used to only require a maxAge of 18 weeks (it's now 1 year), and domains added during this time will only be held to the 18 week requirement.
Removing HSTS preloading should cause no breakage, though for the subset of to-be-pruned domains currently serving valid HTTPS traffic, this does reduce protections against downgrade attacks. Impacted sites can avoid impact by ensuring they meet current inclusion requirements.
We do not presently have an exact timeline for when this pruning will take place; we have some tooling that needs to be built out yet. But this is a big change, and so I wanted to explicitly solicit feedback from the community. Comments, suggestions, concerns, or criticisms, either on-list or directly to me, are welcome.
Best,
Joe, on behalf of the Chrome team
Joe DeBlasio
Apr 25, 2023, 12:33:00 PM4/25/23
to HSTS Discuss, Joe DeBlasio, Chromium HSTS Preload List
Closing the loop on this, removals landed in crrev.com/c/4455622.
Reply all
Reply to author
Forward
0 new messages