It's important to note that even if the HSTS header was present on the mobile site, the exploit would still be possible since many mobile browsers do not support HSTS[1].
>We are slowly rolling out HSTS across the entirety of Facebook's infrastructure. The fact that m.facebook.com does not send this header currently is by design.
Why not? For browsers that don't support HSTS, the header will be ignored. For those that do support it, the end-user gets better security. Is there a feasible reason for not enabling it everywhere? My guess would be so Facebook can disable SSL for certain browsers?
Yes, this is the case, but only in the first request. As soon as an HTTP user agent gets such an HSTS header, it will only communicate via HTTPS until max-age expires.
pmh|12 years ago
[1]http://michael-coates.blogspot.com/2013/09/security-capabili...
ancarda|12 years ago
Why not? For browsers that don't support HSTS, the header will be ignored. For those that do support it, the end-user gets better security. Is there a feasible reason for not enabling it everywhere? My guess would be so Facebook can disable SSL for certain browsers?
matt_heimer|12 years ago
daeken|12 years ago
elwell|12 years ago
Sami_Lehtinen|12 years ago
Btw. There are many sites like this out there. So this isn't news actually. There are even more sites which lack https completely.