Oddbean new post about | logout
bright-bonefish | 6 days ago (raw) | export | reply | flag 
 #firefox uses centralized redirect list for redirecting domains from http to https.
seems stupid idea.

so this is some kind of security practice based on this centralized list maintained by chromium project.

https://hstspreload.org

another centralized list firefox is using is of course the "malware list", where firefox displays red page and may or may not allow accessing the site after dismissing this notification.
bright-bonefish | 6 days ago (raw) | root | parent | reply | flag 
 while redirect list from http to https may not seem that bad, its still security practice based on trust of central authority. this central authority may affect following:

- non inclusion of site to the list based on political view
- central server may be down
- central server may collect ip information upon access

however, the latter list "malware list" is already being misused. this list is basically based on user reporting. domain names may be flagged as "distributing malware" for whatever reason anyone thinks.

web is distributed and web browsers should not rely on any centralized trust based security principles which moves some control of your browser to third party services.