|
|
|
|
|
|
by ds9
4435 days ago
|
|
|
If you are using a site-signed cert and giving intended visitors a corresponding browser cert (being your own CA), and turn on HSTS, I assume the non-bypassable warning page would not be triggered, and the author's reference to "self-signed certs" is an inaccurate shorthand for "site certs the browser doesn't trust a CA for". (If this interpretation is wrong, HSTS would prevent a secure connection in this scenario.) And if your server is rewriting URLs instead of using 301, then clients are not vulnerable to the redirect loophole and HSTS gives no benefit in that respect? |
|
|
[1] http://tools.ietf.org/html/draft-ietf-websec-strict-transpor...