Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves. Rough steps: 1) Identify mozilla.com subdomains that don't yet support HTTPS and file dependant bugs to fix them. 2) Ensure the apex/root domain (https://mozilla.com/) serves an HSTS header that meets the requirements on https://hstspreload.org/ 3) Submit the domain using that same tool For reference: $ curl -IL http://mozilla.com/ HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pp-web01 Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 29 Mar 2017 00:43:23 GMT Location: https://mozilla.com/ Keep-Alive: timeout=20, max=986 Accept-Ranges: bytes Connection: Keep-Alive X-Cache-Info: cached Content-Length: 0 HTTP/1.1 302 Moved Temporarily X-Backend-Server: TS Cache-Control: max-age=3600 Content-Type: text/plain Strict-Transport-Security: max-age=31536000 Date: Wed, 29 Mar 2017 01:00:16 GMT Location: https://www.mozilla.com/ Connection: Keep-Alive Content-Length: 0 ...

mozilla.com cannot be preloaded easily as it is the apex domain of all datacenters and internal services we operate in IT. We will not be able to work on this in 2017. You may want to speak to Corey Shields about prioritizing this work if it's essential, as his team can focus on DNS work of this nature.

(In reply to Richard Soderberg [:atoll] from comment #1) > mozilla.com cannot be preloaded easily as it is the apex domain of all > datacenters and internal services we operate in IT. Ah good point. That said, I wonder if we can ask for some of the high-value mozilla.com subdomains (eg https://sso.mozilla.com, https://irccloud.mozilla.com since they request LDAP credentials) to be manually added to the preload list so we can at least protect first connections to those? (This is not normally allowed for subdomains, but exceptions have been made, eg bugzilla.mozilla.org) Or else failing that, perhaps they could be moved to their own domain or to mozilla.org instead (though bug 1351516 likely far out too)?

We have essentially no chance of getting things like sso.mozilla.com added to the preload list, because it would otherwise open the preload list up to a million requests from different domains for the same thing, which isn't technically feasible. BMO was a very special exception, specifically because of the extremely high value information it contains. In general, simply having HSTS and visiting the domain once from a safe location should be enough for sumdomains like sso and irccloud.