If you don't type the https url, you start by visiting the http website. Normally the http version will redirect to https, but a man in the middle can easily prevent this.
> If you don't type the https url, you start by visiting the http website. Normally the http version will redirect to https, but a man in the middle can easily prevent this.
This is not entirely correct. HSTS[0] was designed to protect against such attacks.
It's true, however, that not every browser out there supports it yet, and you must visit the website at least once without MITM for the server to successfully communicate HSTS header. (In Chrome certain domains are included in built-in list[1], though.)
Yes! I just thought of this and was going to edit it in, but you are quicker. Many websites still don't use HSTS, and in any case this article is from a few months ago (I remember reading it) and HSTS is pretty new.
goblin89|11 years ago
This is not entirely correct. HSTS[0] was designed to protect against such attacks.
It's true, however, that not every browser out there supports it yet, and you must visit the website at least once without MITM for the server to successfully communicate HSTS header. (In Chrome certain domains are included in built-in list[1], though.)
[0] https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_s...
[1] https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...
unknown|11 years ago
[deleted]
iancarroll|11 years ago
Wilya|11 years ago
In my browser (FF nightly), I see the HSTS header, with the value: "max-age=15552000; preload"
If I do a request with curl, no header... (which is probably what this app sees).
I don't have a clue why they are doing that, though. Not that curl would do something with the HSTS header anyway, but still...
zokier|11 years ago
ma2rten|11 years ago
lucb1e|11 years ago