On Tue, Sep 23, 2014 at 01:08:13PM -0500, fhw...@gmail.com wrote: > So what is the reason to use HSTS over a server initiated redirect? Seems > to me the latter would provide greater security whereas the former is easy > to bypass.
On the contrary, HSTS is much harder to bypass, because the browser remembers the HSTS setting for an extended period of time. While first use is still vulnerable to a downgrade attack under HSTS, it's only *one* use, whereas the browser is vulnerable to redirect filtering on *every* use. If an attacker has enough access to the network to be able to strip the HSTS header, they also have enough access to be able to block the server-initiated redirect to HTTPS. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
