On 05.02.2015 16:54, Daniel Kahn Gillmor wrote: > Alexander, I don't think that's the right analysis. Having an > httpsE-rule avoids an sslstrip attack for people in their first time > visiting, which HSTS does not defend against. > > If i type "steventress.com" into my browser right now (having never > visited it before), my browser will try http://steventress.com/. > > A network-based attacker can simply pretend to be that server (even > proxying the content from the https site so it looks the same). All my > communications will remain in the clear. > > having an httpsE-rule means that as long as i have the extension > installed, i'll never get the cleartext site, even if i've never visited > it before. > > --dkg
Of course you are right! These two measures don't contradict each other. But I think that HSTS (+ adding it on https://hstspreload.appspot.com/) is more effective since very few people out there use https everywhere (btw, are there estimates known?) and it takes rather long for a rule to get to the stable branch which the majority of people (including all Chrome users) use.
signature.asc
Description: OpenPGP digital signature
