Re: HSTS, mixed content, and priming

On Tue, Aug 25, 2015 at 3:38 AM, Brian Smith <brian@briansmith.org> wrote:

> Tanvi Vyas <tvyas@mozilla.com> wrote:
>
>> On Aug 24, 2015, at 11:24 PM, Brian Smith <brian@briansmith.org> wrote:
>>
>> Neither "priming" nor u-i-r are secure against an active MitM so websites
>> cannot rely on them for security. Websites need to use https://
>> subresource links to actually be secure.
>>
>>
>> How so?  Neither priming or u-r-i has to make an HTTP request. The
>> browser makes an HTTP request only when priming fails.
>>
>
> The MitM can block the priming request/response.
>

In that case, you're just back in the state we're in today, with normal
mixed content blocking.

--Richard



>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
>

Received on Tuesday, 25 August 2015 15:05:12 UTC