W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Mike West <mkwst@google.com>
Date: Fri, 26 Sep 2014 13:55:26 +0200
Message-ID: <CAKXHy=cjP0gbX4wWtamQ_Vkt=U7Zez1a+_WZV9RrB+nqvQ4npg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
What's the attack you're considering?

(See also:
http://www.chromium.org/Home/chromium-security/client-identification-mechanisms#TOC-Lower-level-protocol-identifiers
)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Sep 26, 2014 at 1:42 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Given HSTS and the network-error-on-redirect feature, it seems we can
> determine whether a user has visited a given domain before. Was this
> considered?
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Friday, 26 September 2014 11:56:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC