Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

And could still do the exact same thing if they had TLS: get the page, add crap, and serve the result (albeit without TLS).


You know, I've never really realized that before. It's actually a pretty huge security hole for average users, no? There should be a way to explicitly forbid non-encrypted connections on a DNS level.


That's roughly the purpose of HSTS, but you need to have visited the site at least once first (or in the case of popular sites, HSTS status of a site is shipped with the browser.)


People who are encountering this for the first time might want to look at

http://www.thoughtcrime.org/software/sslstrip/

for some of the motivation!


A technical user could reasonably be expected to look for https before downloading 'preview build' or something equally payload-ey.

Then sigh and download PuTTY anyway...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: