Tom Pollard · Jul 24, 2018 · 8:40 AM UTC

Tom Pollard

earlier replies

Tom Pollard @Tom__Pollard

24 Jul 2018

Replying to @pwaring

Leeds do 😉

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Jul 24, 2018 · 9:06 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

24 Jul 2018

Without HSTS. Offering both HTTP and HTTPS is pointless

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Jul 24, 2018 · 9:09 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Jul 24, 2018 · 9:09 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

24 Jul 2018

Replying to @pwaring @Tom__Pollard

HSTS tells browsers to ignore the HTTP response other than the redirect-to-HTTPS, and then the HTTPS served HSTS locks the browser in for the period the HSTS header states.

Jul 24, 2018 · 9:09 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Jul 24, 2018 · 9:10 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

24 Jul 2018

Replying to @dsilverstone @pwaring @Tom__Pollard

So yes, unless you're in the preload list, it won't prevent a MITM doing an HTTP-only thing, but the moment *any* resource gets loaded from the HTTPS real site, the browser is "fixed"

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Jul 24, 2018 · 9:12 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

24 Jul 2018

Then again, getting on the preload list is fairly easy, if slow.