View Poll Results: Are any of your sites on the https preload list?

Voters
11. You may not vote on this poll
  • Yes, all of my sites are on the HSTS preload list

    3 27.27%
  • Yes, some of my sites are on the HSTS preload list.

    0 0%
  • No, none of my sites are currently on the preload list, but I am working on it.

    1 9.09%
  • No, none of my sites are on the preload list, but I think it is something I should do.

    3 27.27%
  • No, none of my sites are on the preload list and I'm not sure I care.

    4 36.36%
  • No, none of my sites are on the preload list and that is the way I want it.

    0 0%
Page 1 of 2 12 LastLast
Results 1 to 20 of 21
  1. #1
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Question Are any of your sites on the https preload list?

    We all understand it is important for our sites to operate using https from a security perspective. Not using https leaves sites vulnerable to a variety of security issues. Additionally, way back in 2014 Google announced that whether or not a site using https was becoming a ranking signal that influences whether or not a site is shown in search results inn the following post in Google Search Central: HTTPS as a ranking signal

    However, even if a site supports https, browsers don't necessarily know that, and so first requests to a site are frequently make using http and then switched to https by the server. The HTTP Strict Transport Security header, or HSTS allows a site to effectively enforce the use of HTTPS. By sending the HSTS header with suitable parameters, the server informs the visiting browser that only the HTTPS version of the requested site is available, and plain HTTP will not be served. To avoid redirects at the start of every visit to the site, the browser remembers this information for the duration specified in the response header.

    And if your site follows best practices, it can be submitted to the Chromium HSTS preload list. If your site is on the preload list then many browsers (including Chrome, Firefox, Opera, Safari, Internet Explorer and Microsoft Edge) know to communicate with your site using https and will never use http. You can find out more, and determine the HSTS preload status and eligibility of your domains by visiting hstspreload.org.

    For this week's poll I ask whether any or all of your sites are using HSTS and are on the preload list, or whether you plan to implement HSTS. Besides voting in the poll, please share your thoughts in a post.

    Speaking for myself, I can say that we are working to place all of our sites on the HSTS preload list. It is a new project for us, and this week we have implemented HSTS headers on our first site, and expect to submit that site to the preload list this week.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  2. #2
    wonderpunter's Avatar
    wonderpunter is offline Private Member
    Join Date
    August 2013
    Posts
    2,804
    Blog Entries
    5
    Thanks
    402
    Thanked 1,782 Times in 1,083 Posts

    Default

    I actually thought i was doing this.. turns out im not so will add mine too


  3. #3
    xecutable's Avatar
    xecutable is offline Private Member
    Join Date
    March 2011
    Location
    Zurich, Switzerland
    Posts
    1,820
    Thanks
    554
    Thanked 1,085 Times in 621 Posts

    Default

    Seems like they add them pretty fast. I added mine when this poll was created and it has been added now for a few days. I disagree that this forum ever cared about HTTPS.

    HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data. The ssl came I don't know maybe last year or 2 years ago, which would make it 3-4 years after https became a ranking signal.

  4. The Following 2 Users Say Thank You to xecutable For This Useful Post:

    -Shay- (12 April 2021), AussieDave (23 March 2021)

  5. #4
    gil.langelaan's Avatar
    gil.langelaan is offline Private Member
    Join Date
    July 2018
    Location
    Johannesburg
    Posts
    966
    Thanks
    110
    Thanked 305 Times in 242 Posts

    Default

    Hi Michael!

    Very interesting poll and discussion, thanks for asking.

    Currently none of my sites are on the preload list, but I think it is something I should do.

    I'm planning to discuss it with my colleagues and probably will do something with that.

    Please let us know how it goes for you later.

    It would be interesting to have a look at your project.

    Thank you!

  6. #5
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by gil.langelaan View Post
    Please let us know how it goes for you later.
    The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  7. #6
    casinoportal's Avatar
    casinoportal is online now Private Member
    Join Date
    June 2002
    Location
    UK
    Posts
    1,166
    Blog Entries
    1
    Thanks
    48
    Thanked 156 Times in 101 Posts

    Default

    I haven't heard of this preload list before, I have just added the required code and submitted my site for approval. Easy enough and they seem to be quite quick at adding new sites.
    "Many of life's failures are people who did not realize how close they were to success when they gave up"

    Online Casino Reviewz - Monopoly Live

  8. #7
    xecutable's Avatar
    xecutable is offline Private Member
    Join Date
    March 2011
    Location
    Zurich, Switzerland
    Posts
    1,820
    Thanks
    554
    Thanked 1,085 Times in 621 Posts

    Default

    Turns out Cloudflare had these options as well and if you just set them from your .htaccess then sometimes the above mentioned site gives you the green light, sometimes it gives you the red light with an error.

    Once I've changed it around and removed my .htaccess lines and set it up via Cloudflare it works flawlessly. This is for people that might be using the service or some other CDN that might be in-bewteen the user and their site, which may produce occasional errors for no apparent reason.

  9. The Following User Says Thank You to xecutable For This Useful Post:

    universal4 (22 March 2021)

  10. #8
    AussieDave's Avatar
    AussieDave is offline Public Member
    Join Date
    November 2005
    Location
    from the land downunder
    Posts
    4,302
    Blog Entries
    1
    Thanks
    1,805
    Thanked 2,079 Times in 1,190 Posts

    Default

    Quote Originally Posted by xecutable View Post
    HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data.
    I was going to add my comments about this thread being a JOKE a week or so ago... Why? Because myself and other members were asking for years to have SSL. BUT All we ever got, were 'talk to the hand responses'.

    Like most thing at this forum, positive change, only seems to come about, when or if, the action of making said change(s), benefits the owner(s). SSL was only added because Google/Chrome announced it would likely devalue site SERP's IF the site was using NON SSL.

    Hence, within literally days, all stops were pulled to add SSL.

    If the decrease in ranking was not an eminent risk, I'm 99.999% sure, the GPWA would still be using http

    Therefore SSL was not added to protect "members data". No... instead, it was added to protect its SERPS.
    ---
    Compliance: a code word for control

    ---
    Do the right thing, even when no one is looking. It's called integrity.
    ---

  11. The Following 2 Users Say Thank You to AussieDave For This Useful Post:

    -Shay- (12 April 2021), allaboutthebets (23 March 2021)

  12. #9
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,347
    Thanks
    1,996
    Thanked 4,312 Times in 2,050 Posts

    Default

    The idea of a preload list is weak and outdated.
    If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.

    The fact that none of the major browsers can be bothered updating their default behaviours shows that there is NO security risk in contacting a site via http initially.

  13. The Following User Says Thank You to TheGooner For This Useful Post:

    universal4 (23 March 2021)

  14. #10
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.
    I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  15. #11
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by TheGooner View Post
    If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.
    A first contact with https has issues. If you contact a site using http, it will generally work, oftentimes, but not always, redirecting to https when it is supported. However, if you try to connect to a site using https when the site does not support it, then the connection is generally just refused. That dynamic results in a generally better user experience, at a security cost, to use http if it is not known if https is supported. So, for example, we currently always use http as the protocol for external links when https has not been specifically specified since that way the links generally end up working instead of failing. We are looking at spidering links, partly to determine if they still work, and partly to determine if they should use https rather than http, but that is a lot of work versus simply using http.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  16. #12
    casinoportal's Avatar
    casinoportal is online now Private Member
    Join Date
    June 2002
    Location
    UK
    Posts
    1,166
    Blog Entries
    1
    Thanks
    48
    Thanked 156 Times in 101 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."
    Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded, probably taken a couple of weeks. No rush, probably not going to make the slightest bit of difference anyway but it can't hurt. You never know it may be a very small ranking signal Google uses.
    "Many of life's failures are people who did not realize how close they were to success when they gave up"

    Online Casino Reviewz - Monopoly Live

  17. #13
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by casinoportal View Post
    Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded
    I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  18. #14
    PROFRBcom's Avatar
    PROFRBcom is offline Private Member
    Join Date
    April 2013
    Posts
    2,163
    Thanks
    1,493
    Thanked 1,236 Times in 802 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

    Michael
    How sure are you?

    Name:  uSw2N04.jpg
Views: 141
Size:  14.8 KB

  19. #15
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    29,817
    Thanks
    2,852
    Thanked 8,307 Times in 5,268 Posts

    Default

    Status: www.gpwatimes.org is currently preloaded
    Worked for me

    Rick
    Universal4

  20. #16
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by PROFRBcom View Post
    How sure are you?
    I'm 100% sure the GPWAtimes.org website is HSTS preloaded. In fact, the image you posted states "Status: gpwatimes.org is currently preloaded" and then goes on to provide a warning about an obsolete cipher suite. I do view that the preload check warning message overstates the situation. We will try to use TLS1.2, which is a current cipher suite that is definitely not obsolete. But we do still accept TLS 1.1 which was deprecated for bank transactions effective March 2020. We continue to support that version only because some older browser versions will not work with subsequent versions of TLS. We don't support cipher suites older than that and so we refuse connections based on TLS 1.0, SSL 3 and SSL 2. We have worked on adding support for the very latest version (TLS 1.3), but there is some software we currently use that is not compatible with TLS 1.3 support.

    Interesting that you should ask about this today, since I was discussing TSL version support issues with our technical staff this morning.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  21. #17
    spartikkhlink's Avatar
    spartikkhlink is offline Private Member
    Join Date
    April 2021
    Location
    Ukraine
    Posts
    48
    Thanks
    7
    Thanked 6 Times in 6 Posts

    Default

    I don't see any reason to leave the site on http. Firstly, a notification is constantly visible in the browser that the site is not secure. Secondly, it’s not so difficult to do, it’s very simple.
    Watch free online xxx video with sky bri and dainty wilder
    Watch hot porn videos for free at Pornlab.cc

    Играйте на деньги в казино Гама онлайн

  22. #18
    chaumi is offline Private Member
    Join Date
    October 2013
    Location
    East Midlands
    Posts
    1,277
    Thanks
    401
    Thanked 648 Times in 477 Posts

    Default

    (real) idiot question......

    I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate:*.mywebsite.com*.*.mywebsite.com...


    Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?

  23. #19
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,359
    Thanks
    1,012
    Thanked 5,757 Times in 1,834 Posts

    Default

    Quote Originally Posted by chaumi View Post
    I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate: *.mywebsite.com.*.mywebsite.com...

    Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?
    When a domain is preloaded the requirement is that you serve that domain, and all subdomains of that domain, only using https. It is perfectly acceptable, and common practice, to continue to serve your website from a host name with a www prefix.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot
    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  24. The Following User Says Thank You to MichaelCorfman For This Useful Post:

    chaumi (5 June 2021)

  25. #20
    Isaiah's Avatar
    Isaiah is offline Private Member
    Join Date
    September 2007
    Posts
    63
    Thanks
    17
    Thanked 24 Times in 17 Posts

    Default

    For those that have all HSTS configuration correct and still getting errors on the HSTS preload list checker (like HTTP does not redirect to HTTPS) have in mind that you should NOT block user agent "Go-http-client/1.1" from your server, as the service uses this user agent to check your domain.

  26. The Following User Says Thank You to Isaiah For This Useful Post:

    PROFRBcom (18 July 2021)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •