Are any of your sites on the https preload list?

[MichaelCorfman]

We all understand it is important for our sites to operate using https from a security perspective. Not using https leaves sites vulnerable to a variety of security issues. Additionally, way back in 2014 Google announced that whether or not a site using https was becoming a ranking signal that influences whether or not a site is shown in search results inn the following post in Google Search Central: HTTPS as a ranking signal

However, even if a site supports https, browsers don't necessarily know that, and so first requests to a site are frequently make using http and then switched to https by the server. The HTTP Strict Transport Security header, or HSTS allows a site to effectively enforce the use of HTTPS. By sending the HSTS header with suitable parameters, the server informs the visiting browser that only the HTTPS version of the requested site is available, and plain HTTP will not be served. To avoid redirects at the start of every visit to the site, the browser remembers this information for the duration specified in the response header.

And if your site follows best practices, it can be submitted to the Chromium HSTS preload list. If your site is on the preload list then many browsers (including Chrome, Firefox, Opera, Safari, Internet Explorer and Microsoft Edge) know to communicate with your site using https and will never use http. You can find out more, and determine the HSTS preload status and eligibility of your domains by visiting hstspreload.org.

For this week's poll I ask whether any or all of your sites are using HSTS and are on the preload list, or whether you plan to implement HSTS. Besides voting in the poll, please share your thoughts in a post.

Speaking for myself, I can say that we are working to place all of our sites on the HSTS preload list. It is a new project for us, and this week we have implemented HSTS headers on our first site, and expect to submit that site to the preload list this week.

Michael

[wonderpunter]

I actually thought i was doing this.. turns out im not so will add mine too

[xecutable]

Seems like they add them pretty fast. I added mine when this poll was created and it has been added now for a few days. I disagree that this forum ever cared about HTTPS.

HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data. The ssl came I don't know maybe last year or 2 years ago, which would make it 3-4 years after https became a ranking signal.

[gil.langelaan]

Hi Michael!

Very interesting poll and discussion, thanks for asking.

Currently none of my sites are on the preload list, but I think it is something I should do.

I'm planning to discuss it with my colleagues and probably will do something with that.

Please let us know how it goes for you later.

It would be interesting to have a look at your project.

Thank you!

[MichaelCorfman]

Please let us know how it goes for you later.

The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.

Michael

[casinoportal]

I haven't heard of this preload list before, I have just added the required code and submitted my site for approval. Easy enough and they seem to be quite quick at adding new sites.

[xecutable]

Turns out Cloudflare had these options as well and if you just set them from your .htaccess then sometimes the above mentioned site gives you the green light, sometimes it gives you the red light with an error.

Once I've changed it around and removed my .htaccess lines and set it up via Cloudflare it works flawlessly. This is for people that might be using the service or some other CDN that might be in-bewteen the user and their site, which may produce occasional errors for no apparent reason.

[AussieDave]

HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data.

I was going to add my comments about this thread being a JOKE a week or so ago... Why? Because myself and other members were asking for years to have SSL. BUT All we ever got, were 'talk to the hand responses'.

Like most thing at this forum, positive change, only seems to come about, when or if, the action of making said change(s), benefits the owner(s). SSL was only added because Google/Chrome announced it would likely devalue site SERP's IF the site was using NON SSL.

Hence, within literally days, all stops were pulled to add SSL.

If the decrease in ranking was not an eminent risk, I'm 99.999% sure, the GPWA would still be using http

Therefore SSL was not added to protect "members data". No... instead, it was added to protect its SERPS.

[TheGooner]

The idea of a preload list is weak and outdated.
If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.

The fact that none of the major browsers can be bothered updating their default behaviours shows that there is NO security risk in contacting a site via http initially.

[MichaelCorfman]

The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.

I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."

[MichaelCorfman]

If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.

A first contact with https has issues. If you contact a site using http, it will generally work, oftentimes, but not always, redirecting to https when it is supported. However, if you try to connect to a site using https when the site does not support it, then the connection is generally just refused. That dynamic results in a generally better user experience, at a security cost, to use http if it is not known if https is supported. So, for example, we currently always use http as the protocol for external links when https has not been specifically specified since that way the links generally end up working instead of failing. We are looking at spidering links, partly to determine if they still work, and partly to determine if they should use https rather than http, but that is a lot of work versus simply using http.

Michael

[casinoportal]

I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."

Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded, probably taken a couple of weeks. No rush, probably not going to make the slightest bit of difference anyway but it can't hurt. You never know it may be a very small ranking signal Google uses.

[MichaelCorfman]

Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded

I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

Michael

[PROFRBcom]

I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

Michael

How sure are you?

[universal4]

Status: www.gpwatimes.org is currently preloaded

Worked for me

Rick
Universal4

[MichaelCorfman]

How sure are you?

I'm 100% sure the GPWAtimes.org website is HSTS preloaded. In fact, the image you posted states "Status: gpwatimes.org is currently preloaded" and then goes on to provide a warning about an obsolete cipher suite. I do view that the preload check warning message overstates the situation. We will try to use TLS1.2, which is a current cipher suite that is definitely not obsolete. But we do still accept TLS 1.1 which was deprecated for bank transactions effective March 2020. We continue to support that version only because some older browser versions will not work with subsequent versions of TLS. We don't support cipher suites older than that and so we refuse connections based on TLS 1.0, SSL 3 and SSL 2. We have worked on adding support for the very latest version (TLS 1.3), but there is some software we currently use that is not compatible with TLS 1.3 support.

Interesting that you should ask about this today, since I was discussing TSL version support issues with our technical staff this morning.

Michael

[spartikkhlink]

I don't see any reason to leave the site on http. Firstly, a notification is constantly visible in the browser that the site is not secure. Secondly, it’s not so difficult to do, it’s very simple.

[chaumi]

(real) idiot question......

I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate:*.mywebsite.com*.*.mywebsite.com...


Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?

[MichaelCorfman]

I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate: *.mywebsite.com.*.mywebsite.com...

Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?

When a domain is preloaded the requirement is that you serve that domain, and all subdomains of that domain, only using https. It is perfectly acceptable, and common practice, to continue to serve your website from a host name with a www prefix.

Michael

[Isaiah]

For those that have all HSTS configuration correct and still getting errors on the HSTS preload list checker (like HTTP does not redirect to HTTPS) have in mind that you should NOT block user agent "Go-http-client/1.1" from your server, as the service uses this user agent to check your domain.