[ttty]

For example you can go to my http://website.com now the normal website has a HTTPS redirect on home page. Your router replaces that page and disables the redirect. Now is up to you to notice you're on a http connection.

If you think is rare, I can tell you some fortune 500 FX and stocks trading have this vulnerability a year ago (didn't checked again).

[implying]

This is why certificate pinning and modern web security practices are so important. On a well configured site, this attack would fail.

[nielsole]

If you had never visited the site, how would modern security practices have prevented the attack?

HSTS is useless in this case isn't it?

[peterwwillis]

Correct. HSTS does not protect against a first visit to a site. And to work around HSTS, there are many ways to get users to clear their caches, install new browsers, or use new devices to browse sites they've already visited.

Technically, if the domain had DNSSEC enabled, it might prevent this kind of attack, but no regular consumer is using a validating stub resolver, so even DNSSEC wouldn't work.

Now that browsers are saying "Not Secure" by default for HTTP pages, users are apparently expected to notice this popping up where it didn't before and realizing they're on a phishing site.

[hrrsn]

Many sites can be included as HSTS only in Chrome itself, so it wouldn't be entirely useless.

https://hstspreload.org

[Avamander]

Anyone can preload their domain in Chrome, Firefox and others that share the preload list. I'm not sure what vulnerabilities are left after your site has been preloaded.

[deaps]

The only vulnerability left would be, as mentioned above, a client installing a browser that doesn't support HSTS.

[tedunangst]

If your attack relies on getting the user to install your own browser, don't waste your time with a simple HSTS bypass.

[deaps]

No. If the domain (and its subdomains) are preloaded - then a first visit is not required. The HSTS requirement is then baked into a list supported by modern browsers such as Firefox and Chrome.

[Boulth]

Preloading always include subdomains (it's not possible to preload just tld).

[nsgi]

HSTS and Certificate Transparency, yes. Certificate Pinning is too easy to shoot yourself in the foot with, so it should only be considered for the most sensitive sites.

[Boulth]

Dynamic pinning (HPKP header) is being rolled back from browsers because of the reasons you mention. Only a small set of static pins will remain (in Chrome, Google sites for example).