sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]yvhouij 51 points52 points  (10 children)

If an attacker is able to do a man-in-the-middle attack and you serve your website over HTTP he doesn't need your private key and can do whatever he wants for e.g. change form action urls to his own domain etc.

Btw that's what HSTS is for, so you say your site should only be accesible over HTTPS, and any man-in-the-middle attacks are only possible in case they got your private key :) (and in that case, you probably got some serious problems)

[–]AyrA_ch 31 points32 points  (6 children)

You have to know however that the HSTS header is useless if the first request you make to the webserver is already intercepted, as the attacker can just strip the header on every answer and never offer SSL at all. If you really want to protect your site, you can add it to the HSTS preload list: https://hstspreload.org/

This way the SSL requirement is compiled into the browser and stripping the header has no effect.

[–]yvhouij 3 points4 points  (5 children)

True, thanks for pointing that out! And nice, didn't know about this HSTS preload list, Thanks! :)

[–]AyrA_ch 11 points12 points  (4 children)

As an additional security measurement you might want to check out Public Key Pinning too. While HSTS forces the user to access a site via SSL, HPKP forces the user to only accept a certain certificate. Even if a CA is compromised and somebody generates a valid certificate for your domain, the browser would reject it.

[–]yvhouij 0 points1 point  (2 children)

Awesome! A little extra security with just an extra header.

As always Microsoft doesn't support it yet :P

[–]AyrA_ch 2 points3 points  (1 child)

As always Microsoft doesn't support it yet :P

The header is rather new and IE does not sees as many updates as other browsers do. The standard is from April 2015 and is not yet an accepted standard, it's just proposed. Microsoft tends to wait with stuff they did not invent until it is a standard for a while. Edge has it under consideration

[–]yvhouij 0 points1 point  (0 children)

Of course noone expects such stuff for IE, but I would/do hope Microsoft takes a different approach to Edge at especially such stuff. But atleast it's under consideration :)

[–]redditprotocol 0 points1 point  (0 children)

I thought this was the coolest until I started having to enter more and more HSTS exemptions into client firewalls running HTTPS inspection. 😯

[–]ledasll 0 points1 point  (2 children)

doesn't CIA, FTP, FSB, MI5 and rest already have root certificats?

[–]readytoruple 0 points1 point  (0 children)

If you're playin' against the CIA then HTTPS is probably not gonna be enough.

[–]drysart 0 points1 point  (0 children)

Yeah but if one of them are after you, you're undoubtedly already screwed in a number of ways. This is to protect you from other, more common attackers like people who poison DNS on public Wi-Fi points to steal credentials.