W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 27 Sep 2014 08:54:38 +0200
Message-ID: <CADnb78g5Q-CGH9LVZY6NcPEHaQHktNWXenei11vq=DLKFBnKrQ@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote:
> On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>> For HSTS, the question is "Could a MITM attacker gain access to the data
>>> otherwise"
>>> If we took away the +HSTS part
>>> - Source document HTTP, target document HTTP
>>>   - The attacker can read the target document on the wire
>> I see, we are assuming a HSTS setup where you do not redirect port 80.
>> That seems rather stupid. In that case I agree you would lose out.
> No, I'm not assuming that. But I am assuming SSLStrip.

I think I'm out of my depth, but why would this give access to the
contents of the target document?

> That is, the redirect does naught for security and can be stripped away.
> Plus the request itself will have already leaked the salient details.

How so?

Received on Saturday, 27 September 2014 06:55:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC