W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: HSTS preload flaw

From: Eric Mill <eric@konklone.com>
Date: Sun, 9 Feb 2020 22:19:50 -0500
Message-ID: <CACMfZd_iPqj5Q1=NE9zi_uQV5UsXQeVb818vxgQzHsSJ8m3SBw@mail.gmail.com>
To: Austin Wright <aaa@bzfx.net>
Cc: Rob Sayre <sayrer@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Sun, Feb 9, 2020 at 6:51 PM Austin Wright <aaa@bzfx.net> wrote:

> If encrypted connections are important to you as a server operator, it
> seems the only foolproof way to avoid plaintext communication is don’t
> listen on port 80.
>

Without getting into the overall issue, I just want to note for readers of
the thread - server operators can't avoid plaintext communication by
clients by not listening on port 80. Clients can attempt to initiate a
connection to a hostname over port 80 whether or not the "real" server is
listening on port 80, and that connection can be interfered with by a
malicious network actor. That's why HSTS exists - to provide some kind of
signal to the client that they should never bother even trying to make that
connection.
Received on Monday, 10 February 2020 03:20:34 UTC

This archive was generated by hypermail 2.4.0 : Monday, 10 February 2020 03:20:35 UTC