You are very right with everything, except for one small detail that might make all the difference when you're evaluating risk.
You're saying that HSTS is not very effective because, on your very first visit with a browser, you're not protected? So, not being protected in one visit per browser in 2 years (assuming the max-age of 2 years), which might represent 99.9999% of the cases, is not being effective? :)
Accessibility First DevRel. I focus on ensuring content created, events held and company assets are as accessible as possible, for as many people as possible.
I agree "not very effective" was probably a little heavy-handed, but "only 70% as effective" would probably be a fair assessment.
You are right, once you have been to the site you are protected...unless the server gets hacked.
Then the attacker simply sets your HSTS to 0 so it expires immediately the second someone visits the site and they can man-in-the-middle and downgrade attack to their hearts content (I make it sound easy, I am aware it is not!). It also the sort of attack that can go on for months because nobody checks their headers regularly....nobody :-P
HSTS preload means that even if that happened everyone is still protected, as well as protecting first time visitors.
Also bear in mind that once someone has successfully performed a man-in-the-middle attack an end user will likely never get the HSTS headers / meta tags that instruct the browser to upgrade insecure requests as the attacker will just strip them.
With about 20% of traffic to a typical site being new users that can soon add up!
As I said, not very effective unless you use preloading as that makes it impossible to access the site over http in nearly every major browser.
Obviously for 99% of websites none of the above is a major issue purely because they are not big enough targets to justify the effort.
But for the 1% where the risk is real HSTS must be preloaded or it is next to useless for protection.
P.S. Thanks for the interesting info about .app domains, never knew that...a good one to add to my "almost useless, mildly interesting geek facts" list I have in my head for special occasions…and I wonder why nobody wants to hang out anymore 🤣🤣🤣
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You are very right with everything, except for one small detail that might make all the difference when you're evaluating risk.
You're saying that HSTS is not very effective because, on your very first visit with a browser, you're not protected? So, not being protected in one visit per browser in 2 years (assuming the max-age of 2 years), which might represent 99.9999% of the cases, is not being effective? :)
2 more interesting (positive) notes:
I agree "not very effective" was probably a little heavy-handed, but "only 70% as effective" would probably be a fair assessment.
You are right, once you have been to the site you are protected...unless the server gets hacked.
Then the attacker simply sets your HSTS to 0 so it expires immediately the second someone visits the site and they can man-in-the-middle and downgrade attack to their hearts content (I make it sound easy, I am aware it is not!). It also the sort of attack that can go on for months because nobody checks their headers regularly....nobody :-P
HSTS preload means that even if that happened everyone is still protected, as well as protecting first time visitors.
Also bear in mind that once someone has successfully performed a man-in-the-middle attack an end user will likely never get the HSTS headers / meta tags that instruct the browser to upgrade insecure requests as the attacker will just strip them.
With about 20% of traffic to a typical site being new users that can soon add up!
As I said, not very effective unless you use preloading as that makes it impossible to access the site over http in nearly every major browser.
Obviously for 99% of websites none of the above is a major issue purely because they are not big enough targets to justify the effort.
But for the 1% where the risk is real HSTS must be preloaded or it is next to useless for protection.
P.S. Thanks for the interesting info about .app domains, never knew that...a good one to add to my "almost useless, mildly interesting geek facts" list I have in my head for special occasions…and I wonder why nobody wants to hang out anymore 🤣🤣🤣