|
|
|
|
|
|
by VexXtreme
4254 days ago
|
|
|
I see a lot of comments here presenting HSTS as some kind of silver bullet for preventing MITM attacks. While it does help, it's not impenetrable. If a website hasn't been preloaded into the STS preloaded list, then the HSTS header can be stripped on the first visit and the client will never upgrade to SSL. The only foolproof way to make sure you're not being MITMd is to visually verify that the domain checks out and that you are indeed connected using SSL. |
|
|