|
|
|
|
|
|
by Darkenetor
3259 days ago
|
|
|
The only solution is to always go for the HTTPS resource disregarding any suggestion. On browsers a strict configuration of Smart HTTPS [0] covers that, for everything else I think the best solution would be to intercept all HTTP traffic, request the HTTPS counterpart (and decide if falling back on failure is acceptable instead of just dropping the connection), then serving locally the decrypted response. Worse than properly requesting the right one from the start but harder enough to exploit. [0] https://mybrowseraddon.com/smart-https.html |
|
|