[Ach] few suggestions: HSTS, code / config snippets

Martin Rublik martin.rublik at gmail.com
Thu Jan 9 12:13:13 CET 2014

Dear all,

I think that Better Crypto project is interesting and it is going to be a
valuable resource.

I've had a little discussion on improvements in the project with Aaron yesterday
and he suggested to post the thoughts here for discussion.

1. HSTS and HTTPS redirects
I quickly skimmed through the document and saw no explanation of HSTS / HTTPS
redirects. I think it would be nice to add a short explanation of HSTS before

Especially it would be nice to point out that one should avoid HSTS for OCSP and
CRL distribution point URIs.

I guess the topic on HSTS / HTTPS redirects would fit in theory part along with
a little explanation of SSL/TLS, or at least as a note in references in the
Webservers section. One could cite at least RFC 6797 (at least section 11
https://tools.ietf.org/html/rfc6797#section-11 ) and OWASP

2. code / config snipets
It would be great to have downloadable txt code / config files. The copy/paste
would be much easier. As far as I can see you use listings package. It would be
possible to put the listings in seperate files and input them using
\lstinputlisting. One could also publish the listings on a web site and link it
in the document.

I skimmed through the sources and I see a macro @@@CIPHERSTRINGB@@@ in the
listings (there might be more ...). In order to keep the variable Aaron sugested
to use perlify script. This way we could have a text listing (that could be fed
to lstinputlisting and published on a page) and still use the variable in source.

Finally, I have some knowledge with MS technologies, so I might help with IIS at
least as a reviewer or as a contributor. Looking forward.

Best regards

Martin Rublik


221 Bye

More information about the Ach mailing list