[OmniOS-discuss] Wiki is slightly broken

Jacob Vosmaer contact at jacobvosmaer.nl
Mon Apr 25 18:55:14 UTC 2016


Thanks Eric!

It seems like I accidentally took this thread off-list. I think the summary
for everyone else is: HSTS on omniti.com accidentally trickled down to
omnios.omniti.com, affecting visitors who loaded up omnios.omniti.com at
just the right (wrong) time. HSTS headers should have been fixed now.

2016-04-25 20:46 GMT+02:00 Eric Sproul <eric.sproul at circonus.com>:

> Hi Jacob,
> The OmniTI folks did roll out HSTS recently, but (as I'm sure many
> others have) quickly realized that including all subdomains wasn't
> feasible.  They now no longer set that for omniti.com, and have set
> the max-age parameter to 1 second.  I'm not sure how you go about
> clearing the HSTS info from your browser, but if you do that, you
> should be good.
>
> Eric
>
> On Mon, Apr 25, 2016 at 10:35 AM, Eric Sproul <eric.sproul at circonus.com>
> wrote:
> > On Mon, Apr 25, 2016 at 10:26 AM, Jacob Vosmaer <contact at jacobvosmaer.nl>
> wrote:
> >> Thanks Eric.
> >>
> >> I am not using HTTPS Everywhere. According to
> chrome://net-internals/#hsts
> >> omnios.omniti.com my Chrome thinks omnios.omniti.com wants 'Strict
> Transport
> >> Security'.
> >>
> >> static_sts_domain: omniti.com
> >> static_upgrade_mode: STRICT
> >> static_sts_include_subdomains: true
> >> static_sts_observed: 1461128400
> >>
> >> That timestamp is about five days ago. Could it be that OmniTI
> temporarily
> >> deployed HSTS and I got unlucky?
> >
> > Interesting... I'll ask my OmniTI colleagues.
> >
> > Eric
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160425/e61d9fc4/attachment.html>


More information about the OmniOS-discuss mailing list