Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
add HSTS preload requirement for wallets #1277
Conversation
|
Some of the web wallets listed already enable this: |
|
Thanks for bringing this to my attention. I'll look into enabling HSTS preloading for bitcoin.org (we should at least do it ourselves before making it a requirement for any wallets). |
|
I think this is a good idea and I believe that it continues our (sometimes tedious) HSTS campaign which is a good thing. Thank you very much for submitting it, and thanks for reviewing the existing listings. In the past, when we have introduced new requirements that some of our existing listings did not meet, we have placed them in our optional criteria section, strongly encouraging the criteria for new listings and requesting that existing listings update their offerings. A good example is that we initially introduced address rotation as optional and then moved it to required. It may be interesting to note that in that case, we did not list any new wallets that did not meet the criteria while it was it was in the optional section. @jameshilliard, I would recommend moving the new preload criteria to the optional section for the time being and later upgrade it to required. This will allow us to officially recommend it to our existing listings while giving them adequate time to research the implementation and any possible implications. |
|
@Cobra-Bitcoin Any update on getting HSTS preloading enabled for bitcoin.org in light of this? |
wbnns
self-assigned this
Dec 9, 2016
wbnns
requested changes
Dec 16, 2016
@jameshilliard HSTS is now enabled for Bitcoin.org - thank you for mentioning this. Other than the one change to the location of requirement you proposed, everything LGTM.
| @@ -719,7 +719,7 @@ Basic requirements: | ||
| - No concerning bug is found when testing the wallet | ||
| - Website supports HTTPS and 301 redirects HTTP requests | ||
| - SSL certificate passes [Qualys SSL Labs SSL test](https://www.ssllabs.com/ssltest/) | ||
| -- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days | ||
| +- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days and is included in the [HSTS preload list](https://hstspreload.appspot.com/) |
wbnns
Dec 16, 2016
Contributor
@jameshilliard Hey, sorry that this PR hasn't been resolved just yet. Can you please move this to the Optional section as per the comment @crwatkins left?
wbnns
added
the
Changes Requested
label
Dec 16, 2016
|
@wbnns I've moved HSTS preloading to the optional section |
|
Thanks @jameshilliard. LGTM. |
|
Unless others object, this will be merged on Wednesday, December 21st. @jameshilliard Thank you, sir! |
wbnns
added
Merge Scheduled
and removed
Changes Requested
labels
Dec 17, 2016
wbnns
merged commit 6f8e9c1
into
bitcoin-dot-org:master
Dec 21, 2016
1 check passed
coin750
reviewed
Dec 23, 2016
yobit.net/616237DA21EBA3E38E881B48A837A374/USD/EUR/BTC/btc:mqEtAAMmdeFT9SUpeQAKiUDVamtrjz4M5M/btc:16WqpqGg6A1aH5J9auLUF6Ljt9AveLUxCu?
jameshilliard commentedApr 9, 2016
•
edited
Requiring HSTS preloading reduces the risk of MITM attacks for users who have not previously visited a particular site before and is especially useful for preventing downgrade attacks on TOR users or users who use browsers without persistent storage. bitcoin.org itself currently doesn't use HSTS preloading and it would be a good idea to enable it there as well.