undefined | Better HN

0 pointsarthurcolle2y ago0 comments

How can you reliably know that you're not being MITM without HSTS?

0 comments

How can you know you're not with HSTS? The whole centralized security system is suspicious in terms of failure points.

The Web PKI is hierarchical, but it isn't particularly centralized (other than Let's Encrypt increasingly eating everyone else's lunch, which is probably a good thing).

But in terms of actual failure points: if you're initiating a connection over HTTPS, then the only way an attacker can MITM you is by convincing a CA to incorrectly issue them a certificate for that domain. That's why Chrome and Safari monitor certificate transparency logs, and why website operations should also generally monitor the logs (to look for evidence of misissuance on their own domains).

anigbrowl2y ago

Not my problem if I am just serving a static page.

For a commercial service or if I was handling people's credentials I'd use something more robust.

xboxnolifes2y ago

It is your problem if you're interested in making sure people are actually getting your static page.

ZeroSolstice2y ago

I'm sure there is some nuance to what someones static site is serving but someones blog doesn't need to be HTTPS. If they are offering downloads you can provide checksums or verify their data through other sources or contacting them out-of-band.

Anything that needs some form of validation from any site should be verifiable in multiple ways. Just because they have HTTPS doesn't mean the provided information or data is automatically correct.

1 more reply

j / k navigate · click thread line to collapse