To me it seems far too pedantic to give an award for pointing out, based on a forum post that blocks links (ask HN posts), that if you incorrectly use the partial url you are at risk.
That's a valid point, but I can't see it being an impossibility that the user will never accidentally stumble sending a http request rather than https. Whether that is user input, or a maliciously placed link.
My understanding is that the HTST header would make this attack less useful. But it's still a concern if you used Private Browsing/Incognito. The initial request will still hit a 301 (vulnerable to interception by MITM). I've just verified this with Facebook.com on my machine (Chrome 26, OSX).
I think it's quite fair to expect a user using this kind of site is likely to use Incognito.
I'm actually kind of surprised as I thought Chrome had a standard list of sites that use https only such as Facebook. (Woah.. seems the preload list is TINY http://www.chromium.org/sts )
Some day maybe we'll see browser-enforced secure DNS that has the ability to include certificates or set HTST. Maybe the same day ipv6 finally takes over in a few centuries.
I like the kind of pinning and preloading that chrome does but it's such a tiny gesture compared to the size of the internet, and nobody else seems to be trying to deploy better security.
Perhaps there could be open whitelists where sites could nominate their sites as 'https only'. Wouldn't even need to be built into the browsers, could just be a thing people do when they launch a clean browser install, hit up https://blahsitelist.com and click a button that fires off https requests to all of those sites which would cache the HTST header? (I've only stumbled on HTST headers today, so I may be overly flamboyant as to their usefulness)
Although, come to think of it, isn't that just basically what the HttpsEverywhere extension does?
My understanding is that the HTST header would make this attack less useful. But it's still a concern if you used Private Browsing/Incognito. The initial request will still hit a 301 (vulnerable to interception by MITM). I've just verified this with Facebook.com on my machine (Chrome 26, OSX).
I think it's quite fair to expect a user using this kind of site is likely to use Incognito.
I'm actually kind of surprised as I thought Chrome had a standard list of sites that use https only such as Facebook. (Woah.. seems the preload list is TINY http://www.chromium.org/sts )