HSTS preload list traps sites that lose HTTPS capability AI-researched

What changed

HTTP Strict Transport Security (HSTS) allows websites to instruct browsers to always connect via HTTPS. The HSTS preload list, maintained by the Chromium project and adopted by Firefox, Safari, and Edge, goes further: sites on the list are hardcoded into the browser itself, meaning the browser will never attempt an HTTP connection to those domains, even on the first visit.

Getting onto the preload list is relatively easy — a site operator submits their domain and adds the appropriate HSTS header with the preload directive. Getting removed is slow: it requires a request to hstspreload.org, acceptance by the Chromium team, and then propagation through browser release cycles, which can take 6 to 12 months or longer.

This creates a trap. If a site is on the preload list and its TLS certificate expires, is revoked, or the site loses HTTPS capability for any reason, browsers will refuse to load the site entirely. Unlike regular HTTPS errors where browsers show a warning with a clickthrough option, HSTS-enforced failures are absolute — there is no “proceed anyway” button. The site is simply unreachable.

Several scenarios make this particularly dangerous for creative and artistic projects: domain ownership changes (the new owner may not configure HTTPS), hosting migrations where HTTPS is not re-enabled, certificate authority distrust events (like the Symantec distrust) where the site operator does not replace certificates, and expired Let’s Encrypt certificates on unmaintained sites.

Notes

The HSTS preload list is a one-way door that is easy to enter and hard to exit. For long-lived creative projects, being on the preload list means that any future lapse in HTTPS maintenance — even decades later — will make the site completely inaccessible rather than merely insecure. This is a subtle but permanent ratchet toward extinction for unmaintained web art.