Protecting Against HSTS Abuse


What should we say to webmasters regarding this HSTS problem? Is it something they should / could act on regarding the SecureDrop landing page?


It seems that unfortunately the mitigation is mostly Browser-side, and for now, I think the best mitigation is not to use a specific subdomain for a landing page, per our (landing page recommendations).

Note that the Tor Browser’s HSTS cache is reset after a new identity is requested, see Tor Browser design 4.5.15. It also seems that Firefox and Chrome now reset the HSTS cache when you are in private browsing mode.