[ARIN-Suggestions] Response to Suggestion 2015.2: SUPPORT HSTS WHERE TECHNICALLY FEASIBLE
info at arin.net
Thu Apr 23 09:50:34 EDT 2015
ARIN has issued its final response to ACSP Suggestion 2015.2. The
suggestion and response text are provided below. This suggestion is now
closed and is available at:
Communications and Member Services
American Registry for Internet Numbers (ARIN)
Description: Support HSTS where technically feasible.
Submitter has noticed that www.arin.net has for some time been
https-only, with attempts to connect via http issued a 301 redirect to
the https site.
An improvement upon this practice would be to support HTTP Strict
Transport Security (RFC 6797). At a high level, HSTS informs capable
browsers [*] via an additional header in each HTTPS session that for a
certain period of time (typically months to one year) they should never
try to connect to the site via unencrypted HTTP. This is an additional
layer of protection against man in the middle attacks.
[*] At this writing, HSTS is widely supported (Chrome, Firefox, Opera,
Safari, and upcoming in IE for Windows 10).
Value to Community: Increased protection against spoofing/MITM attacks
12 February 2015
Thank you for submitting your suggestion, numbered 2015.2, on the topic
of HSTS support for the ARIN website.
We will explore HSTS support to our website. Provided there are no
adverse effects in testing, we will be rolling this improvement out
within the next 60 days. Thank you again for suggesting this
improvement. This ACSP item will remain open until the work is completed.
22 April 2015
HSTS functionality was successfully deployed on both our production and
OT&E servers on April 20. This suggestion is now closed.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the arin-suggestions