On Fri, Sep 26, 2014 at 1:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Sep 26, 2014 at 10:07 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: > > That does seem to cover it, although the first sentence makes it sound > > more difficult than it really is. > > However, could this attack be avoided if we never applied HSTS to > resources loaded from a document on a different origin? > > > -- > https://annevankesteren.nl/ > Maybe. Not for HPKP though (the security benefit is also realized through inter-origin protections). For HSTS, the question is "Could a MITM attacker gain access to the data otherwise" - Source document HTTP, target document HTTP+HSTS - The attacker can inject script into the source document. However, CORS should prevent the attacker's script from getting access to the target document data (if used correctly). - The attacker cannot sslstrip the target document, because HSTS - Source document HTTPS, target document HTTP+HSTS - both Firefox and Chrome will trigger mixed content blocking on this today - If MCB is bypassed, the load is STILL over HTTPS, thus the above applies for the HTTP+HTTP case If we took away the +HSTS part - Source document HTTP, target document HTTP - The attacker can read the target document on the wire - Source document HTTPS, target document HTTP - Mixed content blocking triggers - If the user bypasses MCB, the attacker can read the target document on the wire Seems like a net-negative for security if we did.
Received on Friday, 26 September 2014 20:47:27 UTC