View Poll Results: Are any of your sites on the https preload list?

Voters
11. You may not vote on this poll
  • Yes, all of my sites are on the HSTS preload list

    3 27.27%
  • Yes, some of my sites are on the HSTS preload list.

    0 0%
  • No, none of my sites are currently on the preload list, but I am working on it.

    1 9.09%
  • No, none of my sites are on the preload list, but I think it is something I should do.

    3 27.27%
  • No, none of my sites are on the preload list and I'm not sure I care.

    4 36.36%
  • No, none of my sites are on the preload list and that is the way I want it.

    0 0%
Page 1 of 2 12 LastLast
Results 1 to 20 of 21
  1. #1
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Question Are any of your sites on the https preload list?

    We all understand it is important for our sites to operate using https from a security perspective. Not using https leaves sites vulnerable to a variety of security issues. Additionally, way back in 2014 Google announced that whether or not a site using https was becoming a ranking signal that influences whether or not a site is shown in search results inn the following post in Google Search Central: HTTPS as a ranking signal

    However, even if a site supports https, browsers don't necessarily know that, and so first requests to a site are frequently make using http and then switched to https by the server. The HTTP Strict Transport Security header, or HSTS allows a site to effectively enforce the use of HTTPS. By sending the HSTS header with suitable parameters, the server informs the visiting browser that only the HTTPS version of the requested site is available, and plain HTTP will not be served. To avoid redirects at the start of every visit to the site, the browser remembers this information for the duration specified in the response header.

    And if your site follows best practices, it can be submitted to the Chromium HSTS preload list. If your site is on the preload list then many browsers (including Chrome, Firefox, Opera, Safari, Internet Explorer and Microsoft Edge) know to communicate with your site using https and will never use http. You can find out more, and determine the HSTS preload status and eligibility of your domains by visiting hstspreload.org.

    For this week's poll I ask whether any or all of your sites are using HSTS and are on the preload list, or whether you plan to implement HSTS. Besides voting in the poll, please share your thoughts in a post.

    Speaking for myself, I can say that we are working to place all of our sites on the HSTS preload list. It is a new project for us, and this week we have implemented HSTS headers on our first site, and expect to submit that site to the preload list this week.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  2. #2
    wonderpunter's Avatar
    wonderpunter is offline Private Member
    Join Date
    August 2013
    Posts
    2,575
    Blog Entries
    5
    Thanks
    402
    Thanked 1,709 Times in 1,029 Posts

    Default

    I actually thought i was doing this.. turns out im not so will add mine too

  3. #3
    xecutable's Avatar
    xecutable is online now Private Member
    Join Date
    March 2011
    Location
    Zurich, Switzerland
    Posts
    1,735
    Thanks
    532
    Thanked 1,034 Times in 592 Posts

    Default

    Seems like they add them pretty fast. I added mine when this poll was created and it has been added now for a few days. I disagree that this forum ever cared about HTTPS.

    HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data. The ssl came I don't know maybe last year or 2 years ago, which would make it 3-4 years after https became a ranking signal.
    Gambipedia.com - casino & slot reviews accompanied by casino betting guides

  4. The Following 2 Users Say Thank You to xecutable For This Useful Post:

    -Shay- (12 April 2021), AussieDave (23 March 2021)

  5. #4
    gil.langelaan's Avatar
    gil.langelaan is offline Private Member
    Join Date
    July 2018
    Location
    Johannesburg
    Posts
    952
    Thanks
    107
    Thanked 300 Times in 238 Posts

    Default

    Hi Michael!

    Very interesting poll and discussion, thanks for asking.

    Currently none of my sites are on the preload list, but I think it is something I should do.

    I'm planning to discuss it with my colleagues and probably will do something with that.

    Please let us know how it goes for you later.

    It would be interesting to have a look at your project.

    Thank you!

  6. #5
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by gil.langelaan View Post
    Please let us know how it goes for you later.
    The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  7. #6
    casinoportal's Avatar
    casinoportal is offline Private Member
    Join Date
    June 2002
    Location
    UK
    Posts
    1,149
    Blog Entries
    1
    Thanks
    35
    Thanked 152 Times in 98 Posts

    Default

    I haven't heard of this preload list before, I have just added the required code and submitted my site for approval. Easy enough and they seem to be quite quick at adding new sites.
    "Many of life's failures are people who did not realize how close they were to success when they gave up"

    Online Casino Reviewz

  8. #7
    xecutable's Avatar
    xecutable is online now Private Member
    Join Date
    March 2011
    Location
    Zurich, Switzerland
    Posts
    1,735
    Thanks
    532
    Thanked 1,034 Times in 592 Posts

    Default

    Turns out Cloudflare had these options as well and if you just set them from your .htaccess then sometimes the above mentioned site gives you the green light, sometimes it gives you the red light with an error.

    Once I've changed it around and removed my .htaccess lines and set it up via Cloudflare it works flawlessly. This is for people that might be using the service or some other CDN that might be in-bewteen the user and their site, which may produce occasional errors for no apparent reason.
    Gambipedia.com - casino & slot reviews accompanied by casino betting guides

  9. The Following User Says Thank You to xecutable For This Useful Post:

    universal4 (22 March 2021)

  10. #8
    AussieDave's Avatar
    AussieDave is offline Public Member
    Join Date
    November 2005
    Location
    from the land downunder
    Posts
    4,126
    Blog Entries
    1
    Thanks
    1,704
    Thanked 1,949 Times in 1,112 Posts

    Default

    Quote Originally Posted by xecutable View Post
    HTTPS became a ranking factor back in August 2014. I left this forum for the past 3 years, because of the absence of https and total neglect of the user's data.
    I was going to add my comments about this thread being a JOKE a week or so ago... Why? Because myself and other members were asking for years to have SSL. BUT All we ever got, were 'talk to the hand responses'.

    Like most thing at this forum, positive change, only seems to come about, when or if, the action of making said change(s), benefits the owner(s). SSL was only added because Google/Chrome announced it would likely devalue site SERP's IF the site was using NON SSL.

    Hence, within literally days, all stops were pulled to add SSL.

    If the decrease in ranking was not an eminent risk, I'm 99.999% sure, the GPWA would still be using http

    Therefore SSL was not added to protect "members data". No... instead, it was added to protect its SERPS.
    ---
    Compliance: a code word for control

    ---
    Do the right thing, even when no one is looking. It's called integrity.
    ---

    It's your right to be treated honestly: fairness for all igaming affiliates - doch.news

  11. The Following 2 Users Say Thank You to AussieDave For This Useful Post:

    -Shay- (12 April 2021), allaboutthebets (23 March 2021)

  12. #9
    TheGooner's Avatar
    TheGooner is offline Private Member
    Join Date
    March 2007
    Location
    New Zealand
    Posts
    4,278
    Thanks
    1,962
    Thanked 4,229 Times in 2,013 Posts

    Default

    The idea of a preload list is weak and outdated.
    If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.

    The fact that none of the major browsers can be bothered updating their default behaviours shows that there is NO security risk in contacting a site via http initially.

  13. The Following User Says Thank You to TheGooner For This Useful Post:

    universal4 (23 March 2021)

  14. #10
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    The first site we submitted to the preload list was casinocitytimes.com. We submitted it shortly after starting this poll and had the same experience xecutable shared above - being added to the preload list happened within a few days of our request to be added.
    I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  15. #11
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by TheGooner View Post
    If initial requests in http being rerouted to https was an issue then browsers would simply default to https contact first-up.
    A first contact with https has issues. If you contact a site using http, it will generally work, oftentimes, but not always, redirecting to https when it is supported. However, if you try to connect to a site using https when the site does not support it, then the connection is generally just refused. That dynamic results in a generally better user experience, at a security cost, to use http if it is not known if https is supported. So, for example, we currently always use http as the protocol for external links when https has not been specifically specified since that way the links generally end up working instead of failing. We are looking at spidering links, partly to determine if they still work, and partly to determine if they should use https rather than http, but that is a lot of work versus simply using http.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  16. #12
    casinoportal's Avatar
    casinoportal is offline Private Member
    Join Date
    June 2002
    Location
    UK
    Posts
    1,149
    Blog Entries
    1
    Thanks
    35
    Thanked 152 Times in 98 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    I've since come the the conclusion that the quick addition to the HSTS preload list was just a lucky coincidence. Sites added a few days after that are still not on the preload list after nearly a month. So, it seems new sites are added to the list at intervals and we just happened to add a few sites right before an update. Separately, I do note that the hstspreload.org site states: "Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version."
    Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded, probably taken a couple of weeks. No rush, probably not going to make the slightest bit of difference anyway but it can't hurt. You never know it may be a very small ranking signal Google uses.
    "Many of life's failures are people who did not realize how close they were to success when they gave up"

    Online Casino Reviewz

  17. #13
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by casinoportal View Post
    Yep, I submitted mine and checked after a few days and it had still not been added. Just checked now and it is showing that it is currently preloaded
    I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  18. #14
    PROFRBcom's Avatar
    PROFRBcom is offline Private Member
    Join Date
    April 2013
    Posts
    2,106
    Thanks
    1,457
    Thanked 1,192 Times in 772 Posts

    Default

    Quote Originally Posted by MichaelCorfman View Post
    I also just checked again, and three of the five domains that were pending are now showing as preloaded. One of the domains that is now preloaded is GPWAtimes.org.

    Michael
    How sure are you?

    Name:  uSw2N04.jpg
Views: 105
Size:  14.8 KB

  19. #15
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    28,493
    Thanks
    2,340
    Thanked 8,027 Times in 5,070 Posts

    Default

    Status: www.gpwatimes.org is currently preloaded
    Worked for me

    Rick
    Universal4

  20. #16
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by PROFRBcom View Post
    How sure are you?
    I'm 100% sure the GPWAtimes.org website is HSTS preloaded. In fact, the image you posted states "Status: gpwatimes.org is currently preloaded" and then goes on to provide a warning about an obsolete cipher suite. I do view that the preload check warning message overstates the situation. We will try to use TLS1.2, which is a current cipher suite that is definitely not obsolete. But we do still accept TLS 1.1 which was deprecated for bank transactions effective March 2020. We continue to support that version only because some older browser versions will not work with subsequent versions of TLS. We don't support cipher suites older than that and so we refuse connections based on TLS 1.0, SSL 3 and SSL 2. We have worked on adding support for the very latest version (TLS 1.3), but there is some software we currently use that is not compatible with TLS 1.3 support.

    Interesting that you should ask about this today, since I was discussing TSL version support issues with our technical staff this morning.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  21. #17
    spartikkhlink's Avatar
    spartikkhlink is offline Private Member
    Join Date
    April 2021
    Location
    Ukraine
    Posts
    45
    Thanks
    7
    Thanked 6 Times in 6 Posts

    Default

    I don't see any reason to leave the site on http. Firstly, a notification is constantly visible in the browser that the site is not secure. Secondly, it’s not so difficult to do, it’s very simple.
    The Best Escorts in Stamford CT only on LadyForDaddy.

    https://d-2.com.ua/

  22. #18
    chaumi is online now Private Member
    Join Date
    October 2013
    Location
    East Midlands
    Posts
    886
    Thanks
    211
    Thanked 432 Times in 322 Posts

    Default

    (real) idiot question......

    I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate:*.mywebsite.com*.*.mywebsite.com...


    Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?

  23. #19
    MichaelCorfman's Avatar
    MichaelCorfman is offline GPWA Executive Director
    Join Date
    June 2004
    Location
    Newton, MA
    Posts
    4,239
    Thanks
    899
    Thanked 5,478 Times in 1,763 Posts

    Default

    Quote Originally Posted by chaumi View Post
    I understand that preloading mywebsite.com through this form will prevent all subdomains and nested subdomains from being accessed without a valid HTTPS certificate: *.mywebsite.com.*.mywebsite.com...

    Given my preferred is www. am I going to balls it up by submitting???? or does the * mean anything that prefixes mywebsite.com will be ok?
    When a domain is preloaded the requirement is that you serve that domain, and all subdomains of that domain, only using https. It is perfectly acceptable, and common practice, to continue to serve your website from a host name with a www prefix.

    Michael
    GPWA Executive Director, Casino City CEO, Friend to the Village Idiot

    Resources for Affiliates: iGamingDirectory.com, iGamingAffiliatePrograms.com, GamingMeets.com

  24. The Following User Says Thank You to MichaelCorfman For This Useful Post:

    chaumi (5 June 2021)

  25. #20
    Isaiah's Avatar
    Isaiah is offline Private Member
    Join Date
    September 2007
    Posts
    63
    Thanks
    17
    Thanked 24 Times in 17 Posts

    Default

    For those that have all HSTS configuration correct and still getting errors on the HSTS preload list checker (like HTTP does not redirect to HTTPS) have in mind that you should NOT block user agent "Go-http-client/1.1" from your server, as the service uses this user agent to check your domain.

  26. The Following User Says Thank You to Isaiah For This Useful Post:

    PROFRBcom (18 July 2021)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •