[HTTPS-Everywhere] HTTPS Everywhere 0.3.0.development.1

Robert Ransom rransom.8774 at gmail.com
Sat Nov 13 15:17:00 PST 2010 

On Sat, 13 Nov 2010 14:57:35 -0800
Chris Palmer <chris at eff.org> wrote:

> > No.  sslstrip can easily be extended to remove
> > Strict-Transport-Security headers from responses that it forwards to the
> > client (if it does not do so already).

> As I understand it, sslstrip will succeed in keeping a user of an HSTS-enabled site downgraded only if the user is connecting to the site, via the sslstrip-pwned network, for the first time in the site's HSTS policy window. HSTS is like SSH in that way: Connect unsafely once, stay safe ever after within the window. If you're pwned the first time, well, too bad.
> 
> Although imperfect, that is a huge improvement over the status quo. (Surely you'll agree that SSH is Pretty Good, right?)

Unless you close your browser, and it is configured not to record
information about your browsing history on disk.


> > Also, I can't say I trust github's ssl given their latest "SSL Prevention Phase" blog post: https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets
> > It's not actually ssl, as they put it, "The /src/ attribute is rewritten to proxy through our normal asset servers so it **appears** to come from a secure source." All this does is fix the warning.
> 
> They fixed the warning by fixing the problem. Your connections to GitHub servers are protected; inside their network, they might use unprotected communications. Again, a huge improvement over the status quo.
> 
> It seems like they are proxying *within their internal network*: the unsafe links are probably between servers on the same subnet (e.g. assets1.github.com is 207.97.227.244, while github.com is 207.97.227.239).

Even if they are proxying requests to other web sites (code.jquery.com,
perhaps?), it is probably much harder to MITM connections from GitHub's
servers to the Internet than to MITM connections from a wireless
network user to the Internet.


Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101113/18120613/attachment.sig>

More information about the HTTPS-everywhere mailing list