[shawnz]

But HSTS also blocks the workaround of "just Google it and find the page again"

[LinuxBender]

You can use the webmaster tools on Google to fix the indexing. It takes a few days, but worth the effort.

[MichaelApproved]

The issue is that the browser won't let you visit the insecure URL, regardless of how you get to it.

It won't work because the HSTS setting the visitor got months ago told it not to.

[LinuxBender]

That is exactly what I am talking about.

In the webmaster tools, you want to get google to remove all references to the non https versions. Ensure https is up on all URL's, then use their tools to re-index everything and remove all references to http://

Are you saying you can't set up https on some of your URL's?

[shawnz]

The argument here is that enabling HSTS can be dangerous because if you enable it and then later become unable to serve HTTPS for some reason, you will have no way of turning it off. Even if you get your clients to manually edit their bookmarks to use HTTP again, their browsers will just rewrite the url to HTTPS anyway.

There's no issue with switching FROM HTTP to HTTPS: that's easy, just redirect them. The issue is if you have to switch back.

[LinuxBender]

I completely understand. The bookmark scenario is even easier than the google links. You simply set up https and the cached HSTS entries will work.

[shawnz]

The scenario is assuming you have a working HSTS setup but then become unable to serve HTTPS for some reason (e.g. cert expires and you can't acquire a new one, or the provider just drops support for SSL for some reason, or you are forced to change providers to one that doesn't support SSL)

HSTS can't be enabled on plain HTTP so it's not possible to create the problematic scenario if you never had SSL enabled to begin with. The problem is switching from SSL to non-SSL, not the other way around.