On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
> > For HSTS, the question is "Could a MITM attacker gain access to the data
> > otherwise"
>
> Right.
>
>
> > If we took away the +HSTS part
> > - Source document HTTP, target document HTTP
> > - The attacker can read the target document on the wire
>
> I see, we are assuming a HSTS setup where you do not redirect port 80.
> That seems rather stupid. In that case I agree you would lose out.
>
>
> --
> https://annevankesteren.nl/
No, I'm not assuming that. But I am assuming SSLStrip.
That is, the redirect does naught for security and can be stripped away.
Plus the request itself will have already leaked the salient details.