On Mon, 2011-07-25 at 13:28 -0700, Gervase Markham wrote: > On 25/07/11 11:13, Yngve N. Pettersen wrote: > > At least one client supporting HSTS (maybe more) is using a hardcoded > > list of sites that are always HSTS enabled, as a method of countering > > the bootstrap problem. > > Is "the bootstrap problem", the problem that on your very first visit to > a site, you might get MITMed? > > If it's your very first visit, then you won't have a relationship with > that site, so the risk is much lower.
No... in the general case, you are dereferencing a https URL provided by someone else who expects you to use server authentication. See https://bugzilla.mozilla.org/show_bug.cgi?id=653318#c3 that I just posted; it refers to the risks of not using server authentication at all, but the risks of not knowing about HSTS are analogous. -- Matt _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
