W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 26 Sep 2014 23:36:44 -0700
Message-ID: <CACvaWvZrPpzovnsRmk3RPbPT9Y_N9=qYz6tu3zGwGGhM3Gn9fQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
> > For HSTS, the question is "Could a MITM attacker gain access to the data
> > otherwise"
>
> Right.
>
>
> > If we took away the +HSTS part
> > - Source document HTTP, target document HTTP
> >   - The attacker can read the target document on the wire
>
> I see, we are assuming a HSTS setup where you do not redirect port 80.
> That seems rather stupid. In that case I agree you would lose out.
>
>
> --
> https://annevankesteren.nl/

No, I'm not assuming that. But I am assuming SSLStrip.

That is, the redirect does naught for security and can be stripped away.
Plus the request itself will have already leaked the salient details.
Received on Saturday, 27 September 2014 06:37:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC