Forcing TLS on YouTube with Chrome

I use Youtube Options extension for Chrome to opportunistically enable HTTPS on YouTube, but there’s a problem with this - the initial request is made by HTTP (and this makes the use of the Back button challenging, because you have to double-tap it if you came in by HTTP and were redirected to HTTPS).

Unfortunately, Google have not yet rolled out Enforce SSL to YouTube (which, as I understand it, sets an HTTP Strict Transport Security flag so the browser always makes the first request by HTTPS). However, Chrome has a convenient settings page that lets you add your own entries to the local HSTS set.

chrome://net-internals/#hsts

On this page you can query HSTS for a domain - or, usefully, add custom entries. I queried youtube.com which gave me:

Found: mode: OPPORTUNISTIC sts_include_subdomains:true pkp_include_subdomains:true domain:youtube.compubkey_hashes:sha1/vq7OyjSnqOco9nyMCDGdy77eijM=,sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=

I simply took the pubkey_hashes value, pasted them into the “Add Domain” box at the top, ticked “Include subdomains for STS” and “Include subdomains for PKP”,  then clicked “Add”. Now querying youtube.com results in:

Found: mode: STRICT sts_include_subdomains:true pkp_include_subdomains:true domain:youtube.compubkey_hashes:sha1/vq7OyjSnqOco9nyMCDGdy77eijM=,sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=

And I no longer get HTTP requests made when I visit http://www.youtube.com - success!

I’m not sure if this lives in a cache that gets purged over time, so I’ve kept Youtube Options installed in the meantime.