Hacker News new | past | comments | ask | show | jobs | submit login

The initial redirect from HTTP to HTTPS is a weak spot. Most users will just type "example.com" into the address bar and an active attacker can strip HTTPS from there. There'll be no padlock icon, but how many of your users really going to notice?

See http://dev.chromium.org/sts to fix this.




It's important to note that this isn't some sort of hypothetical attack either. In fact, it's wicked simple to do.

http://www.thoughtcrime.org/software/sslstrip/


I dig the STS header, but isn't fixing the problem for only a small-ish percentage of browsers ... not really fixing the problem?


No. It's not. But without clients knowing about the fact that a site should be accessed only over SSL, there is no fix. Chrome isn't the only browser to support this. AFAIK, NoScript for Firefox also adds support and once this becomes widespread, more browsers might follow.

Fixing the problem for some is certainly better than not fixing it and waiting for the perfect solution that might never appear.

Especially if the fix is this easy to implement.


Firefox 4 betas have been shipping with STS support since June. See http://hg.mozilla.org/mozilla-central/rev/5dc3c2d2dd4f




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: