Re: Redirects and HSTS from Ryan Sleevi on 2014-09-27 (public-webappsec@w3.org from September 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 26 Sep 2014 23:36:44 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CACvaWvZrPpzovnsRmk3RPbPT9Y_N9=qYz6tu3zGwGGhM3Gn9fQ@mail.gmail.com>

On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
> > For HSTS, the question is "Could a MITM attacker gain access to the data
> > otherwise"
>
> Right.
>
>
> > If we took away the +HSTS part
> > - Source document HTTP, target document HTTP
> >   - The attacker can read the target document on the wire
>
> I see, we are assuming a HSTS setup where you do not redirect port 80.
> That seems rather stupid. In that case I agree you would lose out.
>
>
> --
> https://annevankesteren.nl/

No, I'm not assuming that. But I am assuming SSLStrip.

That is, the redirect does naught for security and can be stripped away.
Plus the request itself will have already leaked the salient details.

Received on Saturday, 27 September 2014 06:37:11 UTC