id summary reporter owner description type status priority milestone component resolution keywords cc fix_version see_also 1365 shellinabox should set HSTS flag geofft "We should use [http://dev.chromium.org/sts HTTP Strict Transport Security] to work around some possible MITMs against users who just type in `linerva.mit.edu` or `athena.dialup.mit.edu`, with no explicit protocol, into their browser. This involves setting a header in the HTTPS response that causes the site to always be accessed over HTTPS, and redirecting from HTTP to HTTPS. This is very slightly more complicated for Linerva since we currently have a home page that is at least slightly interesting (e.g., I find it nice that people curious about traffic originating from Linerva can see a website). But this can be solved by making the link at the top of the SIAB page a little more prominent. For athena.dialup, HTTP already redirects to HTTPS." enhancement new normal The Distant Future linerva