|
|
|
|
|
|
by hsbauauvhabzb
972 days ago
|
|
|
1) half-wrong, complete crypto stripping downgrade attacks are possible if HSTS and HSTS preloading is not implemented. Iirc it was possible to perform downgrade attacks upto sslv3, but again the client must accept these algorithms - modern browsers reject them. Disabling port 80 has no value[1], unless clients who do not respect hsts are of concern (I think curl does not). [1] https://letsencrypt.org/docs/allow-port-80/ |
|
|