W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 27 Sep 2014 08:54:38 +0200
Message-ID: <CADnb78g5Q-CGH9LVZY6NcPEHaQHktNWXenei11vq=DLKFBnKrQ@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote:
> On Sep 26, 2014 11:33 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>> On Fri, Sep 26, 2014 at 10:40 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>> For HSTS, the question is "Could a MITM attacker gain access to the data
>>> otherwise"
>>>
>>> If we took away the +HSTS part
>>> - Source document HTTP, target document HTTP
>>>   - The attacker can read the target document on the wire
>>
>> I see, we are assuming a HSTS setup where you do not redirect port 80.
>> That seems rather stupid. In that case I agree you would lose out.
>
> No, I'm not assuming that. But I am assuming SSLStrip.

I think I'm out of my depth, but why would this give access to the
contents of the target document?


> That is, the redirect does naught for security and can be stripped away.
> Plus the request itself will have already leaked the salient details.

How so?


-- 
https://annevankesteren.nl/
Received on Saturday, 27 September 2014 06:55:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC