Hacker News new | ask | show | jobs
by netik 4561 days ago
No. HSTS prevents SSLStrip attacks when the intended destination is always meant to be in SSL.
1 comments
peterwwillis 4561 days ago
SSLStrip does not work on valid HTTPS requests. If you request an HTTPS page, it can not be subverted into HTTP. If it could, HTTPS would be pointless. So, yes, HSTS is not required for a valid HTTPS request. This is not some semantic argument, or some sort of side channel attack crap. HSTS is not necessary for HTTPS requests, period.
link
thirsteh 4560 days ago
It's necessary for HTTP requests. Are you being deliberately obtuse?
link
ars_technician 4560 days ago
It doesn't work if the user hasn't visited the site before because the HSTS header can be stripped just as easily.
link
lvh 4560 days ago
The HSTS specification tells you not to put those headers in regular HTTP requests anyway.

Also, you're forgetting about browsers that ship with lists of HSTS-enabled sites.

link
gtklocker 4560 days ago
https://news.ycombinator.com/item?id=6978539
link
gtklocker 4560 days ago
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...
link