Re: HSTS preload flaw from Eric Mill on 2020-02-10 (ietf-http-wg@w3.org from January to March 2020)

From: Eric Mill <eric@konklone.com>
Date: Sun, 9 Feb 2020 22:19:50 -0500
To: Austin Wright <aaa@bzfx.net>
Cc: Rob Sayre <sayrer@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CACMfZd_iPqj5Q1=NE9zi_uQV5UsXQeVb818vxgQzHsSJ8m3SBw@mail.gmail.com>

On Sun, Feb 9, 2020 at 6:51 PM Austin Wright <aaa@bzfx.net> wrote:

> If encrypted connections are important to you as a server operator, it
> seems the only foolproof way to avoid plaintext communication is don’t
> listen on port 80.
>

Without getting into the overall issue, I just want to note for readers of
the thread - server operators can't avoid plaintext communication by
clients by not listening on port 80. Clients can attempt to initiate a
connection to a hostname over port 80 whether or not the "real" server is
listening on port 80, and that connection can be interfered with by a
malicious network actor. That's why HSTS exists - to provide some kind of
signal to the client that they should never bother even trying to make that
connection.

Received on Monday, 10 February 2020 03:20:34 UTC