[FatalLogic]

In this case, I think if the user makes an HTTP connection to a site, even if the site is HTTPS only, the attacker can intercept it, and man-in-the-middle it or pose as the legitimate site

edit: and, the reason it's an issue is not because these systems and networks don't have strong secure communication options available, but because if there is any potential security hole at all, some users will fall into it

[cyphar]

Which is a problem that HSTS and the HSTS preload list[1] solve.

[1]: https://hstspreload.org/

[remram]

Can you get a tor hidden service in the preload list?

[cyphar]

The HSTS preload checking service doesn't support .onion URLs (not to mention you can only get EV certificates for .onion URLs).

However, Tor onion services cannot be MITM'd by an exit node, because you don't use exit nodes and the connection is end-to-end encrypted (and authenticated -- the URL is also the public key of the hidden service so you'd need their key to spoof the service). So arguably .onion URLs are far harder to attack in this manner than TLS, and the HSTS preload list isn't needed at all to protect .onion URLs.

[crtasm]

I don't know, but your connection to a .onion service is encrypted before leaving your machine (no nodes see plain HTTP traffic). It's also authenticated as the domain is derived from the public half of the keypair.

[mrslave]

Good explanation.

Firefox has had `dom.security.https_only_mode` for a while and it's amazing.

[sabellito]

How would that work? To my understanding https prevents mitm attacks.

[thrwaeasddsaf]

That assumes you're using https in the first place. Try enter openbsd.org in your browser and see whether you get the https site or not.

[crtasm]

I get the HTTPS site, thanks to the HTTPS Everywhere extension.

[batch12]

There are a few ways one could perform this attack. SSL stripping would be the most transparent. The attacker could also proxy SSL with a different cert. If the cert was invalid the victim would at least be warned. HSTS should mitigate this threat.

[wizzwizz4]

It does. But it doesn't protect against:

User → HTTP connection → [INTERCEPTION] → HTTPS connection → website.

[mimi89999]

Doesn't HTTPS Everywhere solve this problem?