HSTS Privacy Vs Security
Yesterday I launched HSTSCookie.ca as a reference implementation for Firefox 7's handling of HSTS. I'm not the first to think of using HSTS as a state machine, but I had not seen any other actual implementations to proove the theory in the wild.
So check out hstscookie.ca... It's a partial implementation and I chose only to pick on Firefox because they handle expiring HSTS info a little differently than Chrome does. In Chrome, deleting cookies will delete the HSTS information, in Firefox you have to delete 'site preferences' item. I chose not to put it on a real wildcard cert, mostly because I wanted there to be a real opt-in to try it out, but also because the cheapest wildcard cert I could find was $200 -- which is rediculus for something that costs nothing to create and only validates domain ownership.
In my opinion, HSTS is broken at the design level and can't be fixed in its current form. Instead, STS and Certificate Pinning should be handled in the DNS through a TXT or SRV record setup. Don't require the user's browser remember whether the site should be HSTS.