On Sun, 1 Mar 2015 05:12:34 -0800 (PST) Matthew Jones wrote: > Hi, > I see HTTP Strict Transport Security (HSTS) is now supported in most web > servers and browsers, and prevents Tls downgrade attacks (such as SSL > Stripping). > Does anyone know if this is supported by the Android API for http requests > sent by apps? (or if this is relevant for apps) > Thanks
I don't see HSTS as the right solution for anything, it is hitting a pin with a sledge hammer. It may well have been useful for mail STARTTLS though but DANE may work there. Users still need to check the url bar when submitting anything. Xombrero is a good example of how to make this more prominent though it's long standing webkit leaks memory like a sieve. (Green bar having nothing to do with EV., cert changes optionally flagged etc.) It has already annoyed me for no benefit when trying to securely get a checksum for a download and manually entering https to find that that causes a blank page or 404 (can't remember properly) and then refused to let me actually download or get back to the working http page. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
