HSTS is a Standard Which is Safer than Plain HTTPS. We Have Pointed Out the Falsehood of the Big Giants in Post PRISM Era With HSTS Preload List. Those who are not aware about HTTP Strict Transport Security (HSTS) Preload List can read the linked article. This article is a guide to Nginx Configuration for Enabling HSTS Preload. There are more things like CORS header. After Snowden revealed the Governmental Spyware Activities aka PRISM, many flaw with Free Softwares started to being revealed, like ShellShock, Heartbleed, issue with Virtualization softwares. Rackspace kept the bugs as secret and erratically rebooted the servers. That is basically headache of the webmaster, but today we are presenting some shocking truths about Google, Twitter like Giants about HSTS. Google to get their brand value back, started to talk about security. Google has a kind of human-like robot – Matt Cutts. A person with Phd., an educated person lied so much in life that possible God is not interested about him. It is very tiring to read this article because many stuffs has been explained for a basic user.
HSTS, Cloud Security, IOT and The Lier : Why Authorship Was Introduced
Google delivered a false promise named “Authorship”. Few Million Webmasters, Few Hundred Developers works rentlessly to add rel='me', rel='author' etc. stuffs. reality is a kind of micro format which included in semantic web, makes the end nodes understanding the relationship. In this webpage, just scroll down to check a named linked “Corrine”. As both of us know each other for many years and practically or virtually like relatives, there is a defined rel. Google randomly picked me as an experimental animal in this Authorship test. Ultimately Google announced that rel stuffs has failed and it was an experiment. For Page verification, practically validating once works fine now.
When rel stuffs were introduced, plus.google.com was younger. When you are using rel=me, how you can use rel=nofollow? This is like a forced situation from the idea of getting footer links from so called Free Software like WordPress who has not upgraded their License to current version. All basically removes but very less removes from the login pages. In other words, to get huge backlinks towards the new social network plus.google.com – this exploit was introduced. There were definitely other reasons as well. Many webmaster still are not even aware that rel=me should become a Javascript link to stop flow of outgoing links. There are many ways to give links to the reader like in this way – fsf.org. This is although not great to give credit but actually safer as the reader will copy the url and paste on desired browser. We are referring, that will not be traced.
---
HSTS, Cloud Security, IOT : Unknown Stuffs
Practically, the facts was revealed quite accidentally. One can read about differences of HSTS and HTTPS, Standard etc. on various neutral websites. As most of the technology web blogs shows examples with the tool cURL to check the header, for various examples; most high end coding websites have the headers. Just like cURL, there can be many such examples all of us used. It is an assumption – Technology Blogs usually get highly penalized by Google and Matt Cutts abnormal testing. After getting penalized years after years, people ultimately stops blogging. Yes, may be the desired action – deletion of the documents. 25% Websites on Windows Vista which are DMOZ listed has died. What we talk inside DMOZ, that is not publicly available. The data is of publicly visible page. We often say – “DMOZ regularly checks for quality”, yes we basically decrapify the categories to remove many seem-to-be-died to fully died websites.
So there are old relationships – if we have not told you, you would never analyze yourself. Our topic is HSTS, Cloud Security, IOT and The Lier. We told you about Friendships. The importance of IoT with these stuffs are many – Protocol, Privacy and Security among a huge list.
HSTS, Cloud Security, IOT : Most Secure Website Will Get Better SERP
This is a gossip magazine style coverup by Google and possible commission from the SSL certificate providers towards Google. As the response to PRISM and NSA Spyware Activities went huge, probably 70% Internet users understood Google’s (mainly) bad intentions – “Real People” in Google Plus was nothing but to collect personal data. It is quite abnormal that “Real People” are required for just a social network. “Real People” automatically publishes their details on Professional Networks. Doctors, Lawyers even need to manually verify.
Google’s one Lawyer first published a G+ post which Matt Cutts Shared. The topic was HSTS. It was shared by Matt Cutts. Best way to get full header is to run a simple curl command :
1 | curl -I https://thecustomizewindows.com |
You will get this output :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | HTTP/1.1 200 OK Server: nginx Date: Thu, 18 Dec 2014 12:10:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Set-Cookie: PHPSESSID=3qoa62e22fqviv0lmedtvmsfh3; path=/ Expires: Tue, 09 Aug 2016 12:10:29 GMT Cache-Control: public, max-age=51840000 Last-Modified: Wed, 16 Apr 2014 20:33:56 GMT X-Pingback: https://thecustomizewindows.com/xmlrpc.php X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Alternate-Protocol: 443:npn-spdy/3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload |
This one – Strict-Transport-Security: max-age=31536000; includeSubDomains; preload is very important. This tells it is a HSTS Preloaded website. What it does not tell you is the custom rules :
1 | https://github.com/EFForg/https-everywhere |
This is the thing which I have pulled, added my rules and pushed. That basically I know, although the data is public, is to difficult to find me and my commit :
1 | https://github.com/EFForg/https-everywhere/network/members |
That is what you will get easily here :
1 | https://www.eff.org/https-everywhere/atlas/domains/thecustomizewindows.com.html |
Where is HSTS against mail.google.com ?
1 2 3 4 5 6 7 8 9 10 11 12 13 | curl -I https://mail.google.com HTTP/1.1 200 OK Cache-Control: private, max-age=604800 Expires: Thu, 18 Dec 2014 12:19:47 GMT Date: Thu, 18 Dec 2014 12:19:47 GMT Refresh: 0;URL=https://mail.google.com/mail/ Content-Type: text/html; charset=ISO-8859-1 Content-Length: 234 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alternate-Protocol: 443:quic,p=0.02 |
Google’s ruleset is very complex :
1 | https://www.eff.org/https-everywhere/atlas/domains/google.com.html |
Most nice ruleset is from Paypal :
1 | https://www.eff.org/https-everywhere/atlas/domains/paypal.com.html |
If you see Google’s security with SSL Labs, you will become very sad :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=google.com |
Individual security is far from perfect :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.239.142&hideResults=on |
Test ours :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=thecustomizewindows.com&latest |
As our main front-end node is for thecustomizewindows.com, it is only nicely optimized. www.thecustomizewindows.com is handled by different node, rating does not matter, it is for doing a 301. IP can get changed but A+ will remain constant against the main domain. Inconsistent server configuration is not really error, there are 9 name servers, there is mismatch in details for using different DNS providers.
Like Google, Twitter’s quality is same :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=twitter.com |
Same for Facebook :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=Facebook.com |
And yes, Microsoft :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=microsoft.com |
So, our main server is A+ but Google, Facebook, Microsoft all has so bad software engineers that they need to go back to B Grade? It is agreeable that SSL Labs do not understand 301 and failed to merge two nodes, but Google, Facebook, Microsoft – all has main nodes with B Grade, with this data, is it agreeable that ‘Most Secure Website Will Get Better SERP’? Major question is that, why Google is shouting with HTTPS Everywhere with so poor grade servers, mail server with no HSTS. mail.google.com had HSTS once (yes). There are websites who did curl for other reasons, they have the header response in post. Google usually penalizes the Technology websites. Why that Matt Cutts knows. May be, all are spammy. Charity, essentially begins at home.
