[ryalfalpha]

That's a valid point, but I can't see it being an impossibility that the user will never accidentally stumble sending a http request rather than https. Whether that is user input, or a maliciously placed link.

My understanding is that the HTST header would make this attack less useful. But it's still a concern if you used Private Browsing/Incognito. The initial request will still hit a 301 (vulnerable to interception by MITM). I've just verified this with Facebook.com on my machine (Chrome 26, OSX).

I think it's quite fair to expect a user using this kind of site is likely to use Incognito.

I'm actually kind of surprised as I thought Chrome had a standard list of sites that use https only such as Facebook. (Woah.. seems the preload list is TINY http://www.chromium.org/sts )

[Dylan16807]

Some day maybe we'll see browser-enforced secure DNS that has the ability to include certificates or set HTST. Maybe the same day ipv6 finally takes over in a few centuries.

I like the kind of pinning and preloading that chrome does but it's such a tiny gesture compared to the size of the internet, and nobody else seems to be trying to deploy better security.

[ryalfalpha]

Someday ;)

Perhaps there could be open whitelists where sites could nominate their sites as 'https only'. Wouldn't even need to be built into the browsers, could just be a thing people do when they launch a clean browser install, hit up https://blahsitelist.com and click a button that fires off https requests to all of those sites which would cache the HTST header? (I've only stumbled on HTST headers today, so I may be overly flamboyant as to their usefulness)

Although, come to think of it, isn't that just basically what the HttpsEverywhere extension does?