Hacker News new | ask | show | jobs
by RainaRelanah 3178 days ago
But there are protections against this, such as HSTS. I would expect someone with as much sensitive information as Equifax to have HSTS + HPKP pinned into the major browsers. Their server should never even receive an HTTP request. It's just unrivaled incompetence.
2 comments
discreditable 3178 days ago
HSTS doesn't help if it's your first visit to the site. To work around that they'd need to get into a preload list.
link
andygambles 3178 days ago
Which is easy if you set preload header.
link
tony101 3177 days ago
This. The technology (HSTS, HPKP, Subresource Integrity, upgrade-insecure-requests) is there; sites that need it just don't seem to use it.
link