No mention that this is just the preload list and isn't really required. HSTS normally operates by a trust on first use model, where a header returned first time you access a server and this tells your browser add the domain to its internal HSTS list.
I find it quite recommendable to follow blink-dev. You can check in every couple months & see what's happening with the browser in a way that nothing else will show you. Each Intent also links to other implementer signals, so you can assess easily in relation to other browsers.
In firefox, if I try to go to a LAN host by ip, it will (often?) try http, and if that fails, try https, and if that fails, show an error page, but the address bar has https... so if I edit the url, it's now https. Major PITA.
I hope this will finally bully Australia’s Bureau of Meteorology to either implement HTTPS properly, or stop listening on port 443. Currently, https://www.bom.gov.au/ redirects you to http://www.bom.gov.au/akamai/https-redirect.html which says “we don’t support HTTPS”, which is far worse than just not supporting HTTPS. Until I found another last week¹ this was the only site I’d encountered in a little over three years of browsing with Firefox’s HTTPS-Only Mode where HTTPS was deliberately broken. (There were also another three or four with accidental breakages, mostly minor.)
I’ve tried contacting BOM by various means, but never received even a response. While they had weather.bom.gov.au it was OK because that was served over TLS, but then they shut that down last March or something for no apparent reason, without adequate replacement.
—⁂—
¹ “I’m an old-school shared host and this client hasn’t paid for HTTPS, even though by serving this page I demonstrate that TLS certificates don’t cost me anything any more and essentially just reinforcing that I’m out of touch with reality, reliving my glory days.” Can’t remember which host it was, but it was one of the pretty-well-known-in-hacker-circles ones fifteenish years ago.
If you just don’t listen on port 443, or (if you have other things on the same IP address that do talk HTTPS) even reject connections when clients indicate during TLS handshake that they’re here for www.bom.gov.au, you have no problems. There is no 404—you’ve got to have made a successful HTTP request before there can be one! There’s a regular connection error that the browser knows what to do with.
The problem is when you bypass the normal, universally-supported error path technique in order to try to be helpful. You just shouldn’t do that, ever as far as I can tell.
Same deal with DNS providers that intercept NXDOMAIN and replace it with a redirect to a search page: it breaks so much stuff. In 2012 I was stuck behind an ISP that intercepted NXDOMAIN on all DNS traffic, so I couldn’t even switch DNS provider to fix it. It was awful. (This, incidentally, is why everything needs transport encryption, because ISPs keep on proving themselves untrustworthy as a class.)
Sorry, I had conflated 404 with a timeout error in my head. I'm not suggesting this is a good thing (and where possible I've pushed to use https), but presumably it's a reaction to something (and so the correct solution is find out why, and fix that)?
I’ve tried over the course of years to imagine any legitimate reason for it, even any technical reason for it, for why you might ever do it. None comes to me. I do not believe that any legitimate reason exists: I suspect it was just a badly-thought-out arbitrary technical decision from quite a few years ago when the impact would have been felt less often, and which they haven’t been willing to revert, if they’ve even noticed any complaints.
As for “find out why”, I’ve tried contacting them, multiple times by two or three means, and never received a response, including by one form where they explicitly guaranteed a response to every enquiry.
How does removal work, if a website operator no longer manages a domain and lets it expire, only a few good citizens would go though the removal process. Most probably don't care.
And I imagine they'd have to prove ownership of a site that no longer exists, else I could get example.com removed if I wanted to?
