OK, thanks Matt. So the security improvement is because it's a server config plus persistent memory on the client side.
What is the thinking in Firefox (assume Thunderbird will be similar?) for handling of all the different cases that arise with it? I'm thinking of how persistent is the HSTS knowledge, can it be cleared, what errors/warnings might appear, will users be allowed to bypass them, and so forth. Original Message From: Matt Palmer Sent: Tuesday, September 23, 2014 5:01 PM On Tue, Sep 23, 2014 at 01:08:13PM -0500, fhw...@gmail.com wrote: > So what is the reason to use HSTS over a server initiated redirect? Seems > to me the latter would provide greater security whereas the former is easy > to bypass. On the contrary, HSTS is much harder to bypass, because the browser remembers the HSTS setting for an extended period of time. While first use is still vulnerable to a downgrade attack under HSTS, it's only *one* use, whereas the browser is vulnerable to redirect filtering on *every* use. If an attacker has enough access to the network to be able to strip the HSTS header, they also have enough access to be able to block the server-initiated redirect to HTTPS. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
