> Humans are gonna www- things. The same humans who incorrectly add "www." when ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		JoshTriplett on April 8, 2016 \| parent \| context \| favorite \| on: WordPress.com turns on HTTPS encryption for all we... > Humans are gonna www- things. The same humans who incorrectly add "www." when not told to are also unlikely to add "https://". So have the www. version redirect to the correct URL with HTTPS. For that matter, since certificates with Let's Encrypt support arbitrarily many SubjectAltName (SAN) values, you can include the www variant in the certificate, so that your redirect can use HTTPS and HSTS.

XMPPwocky on April 8, 2016 [–]

But then, if I'm MITMing you, I can just silently keep you on www, without SSL, without caring about HSTS or anything.

iancarroll on April 9, 2016 | [–]

If WordPress enables (preloaded) HSTS, that would not matter.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact