- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 27 Sep 2014 08:54:38 +0200
- To: Ryan Sleevi <sleevi@google.com>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote: > On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote: >> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote: >>> For HSTS, the question is "Could a MITM attacker gain access to the data >>> otherwise" >>> >>> If we took away the +HSTS part >>> - Source document HTTP, target document HTTP >>> - The attacker can read the target document on the wire >> >> I see, we are assuming a HSTS setup where you do not redirect port 80. >> That seems rather stupid. In that case I agree you would lose out. > > No, I'm not assuming that. But I am assuming SSLStrip. I think I'm out of my depth, but why would this give access to the contents of the target document? > That is, the redirect does naught for security and can be stripped away. > Plus the request itself will have already leaked the salient details. How so? -- https://annevankesteren.nl/
Received on Saturday, 27 September 2014 06:55:06 UTC