pith. sign in
Pith Number

pith:5Q2ECPCI

pith:2026:5Q2ECPCIJZ7PNXJFAQ72YYOVS7
not attested not anchored not stored refs resolved

Securing the Web with HSTS-Enforced

Aaron van Diepen, Adrian Zapletal, Fernando Kuipers

HSTS-Enforced defaults all web connections to HTTPS and requires explicit indicators for any site that must use HTTP.

arxiv:2605.04642 v1 · 2026-05-06 · cs.CR · cs.NI

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{5Q2ECPCIJZ7PNXJFAQ72YYOVS7}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

HSTS-Enforced blocks all practical TLS stripping attempts while maintaining compatibility for sites that require HTTP - without introducing overhead in the typical case.

C2weakest assumption

That browsers, DNS resolvers, and site operators will correctly implement and use the proposed HTTP-Required indicators (new DNS record and preload list) without widespread misconfiguration or adoption failures.

C3one line summary

HSTS-Enforced flips web security to default HTTPS with explicit HTTP-Required indicators to block TLS stripping while preserving compatibility for sites needing HTTP.

References

56 extracted · 56 resolved · 0 Pith anchors

[1] HTTP Over TLS 2000
[2] HTTP Strict Transport Security (HSTS) 2012
[3] New Tricks for Defeating SSL in Practice 2009
[4] More Tricks for Defeating SSL in Practice 2009
[5] HSTS Preload List Submission 2012
Receipt and verification
First computed 2026-05-29T02:05:45.982580Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

ec34413c484e7ef6dd25043fac61d597e529f2ba2e1481e3a15e91ffa68193d0

Aliases

arxiv: 2605.04642 · arxiv_version: 2605.04642v1 · doi: 10.48550/arxiv.2605.04642 · pith_short_12: 5Q2ECPCIJZ7P · pith_short_16: 5Q2ECPCIJZ7PNXJF · pith_short_8: 5Q2ECPCI
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/5Q2ECPCIJZ7PNXJFAQ72YYOVS7 \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: ec34413c484e7ef6dd25043fac61d597e529f2ba2e1481e3a15e91ffa68193d0
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "88097d4a169f164c185ba2a85a31848be9eb12737262c70a323f689e50ded2c1",
    "cross_cats_sorted": [
      "cs.NI"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-06T08:33:12Z",
    "title_canon_sha256": "9094c2e8a2ee1989c120a3ba4ede31216d7af9528cadb067ec8c0fd5499a0bd1"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.04642",
    "kind": "arxiv",
    "version": 1
  }
}