ACSP Suggestion 2015.2: Support HSTS Where Technically Feasible

Suggestion

Author: Robert Seastrom   
Submitted On: 23 January 2015

Description:

Support HSTS where technically feasible.

Submitter has noticed that www.arin.net has for some time been https-only, with attempts to connect via http issued a 301 redirect to the https site.

An improvement upon this practice would be to support HTTP Strict Transport Security (RFC 6797). At a high level, HSTS informs capable browsers [*] via an additional header in each HTTPS session that for a certain period of time (typically months to one year) they should never try to connect to the site via unencrypted HTTP. This is an additional layer of protection against man in the middle attacks.

[*] At this writing, HSTS is widely supported (Chrome, Firefox, Opera, Safari, and upcoming in IE for Windows 10).

Value to Community: Increased protection against spoofing/MITM attacks

Timeframe: Immediate

Status: Closed   Updated: 22 April 2015

Tracking Information

ARIN Comment

12 February 2015

Thank you for submitting your suggestion, numbered 2015.2, on the topic of HSTS support for the ARIN website.

We will explore HSTS support to our website. Provided there are no adverse effects in testing, we will be rolling this improvement out within the next 60 days. Thank you again for suggesting this improvement. This ACSP item will remain open until the work is completed.

ARIN Comment

22 April 2015

HSTS functionality was successfully deployed on both our production and OT&E servers on April 20. This suggestion is now closed.