W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 27 Sep 2014 08:33:36 +0200
Message-ID: <CADnb78j-OvAJNzyo99p3hGPt_DXWAnDP53gK7YsWdJuvK44A5A@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Mike West <mkwst@google.com>, Tanvi Vyas <tanvi@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
> For HSTS, the question is "Could a MITM attacker gain access to the data
> otherwise"

Right.


> If we took away the +HSTS part
> - Source document HTTP, target document HTTP
>   - The attacker can read the target document on the wire

I see, we are assuming a HSTS setup where you do not redirect port 80.
That seems rather stupid. In that case I agree you would lose out.


-- 
https://annevankesteren.nl/
Received on Saturday, 27 September 2014 06:34:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC