All Questions
88
questions
4
votes
1
answer
242
views
Why does Fedramp disallow TLS 1.2 via HSTS?
I just stumbled upon this fedramp document: https://www.fedramp.gov/assets/resources/templates/FedRAMP-Moderate-Readiness-Assessment-Report-(RAR)-Template.docx
It contains the following note in 4.2.2 ...
9
votes
2
answers
3k
views
Do subdomains of a TLD with mandatory HTTPS require a wildcard certificate?
Many new TLDs have mandatory HTTPS requirements. Is there a way to disable that for subdomains? If not does that mean an expensive wildcard SSL certificate will need to be used with these domains?
So ...
0
votes
1
answer
2k
views
Browsers don't trust SSL certificates of network-local host signed by own CA
I've got a Mayan EDMS running on a computer on the local network. The Web App is exposed via HTTPS on the non-standard port 8001 and it uses an SSL certificate that is signed by our own CA.
The CA is ...
2
votes
2
answers
1k
views
Did HTTPS and HSTS kill MITM?
Is there a point in being MITM nowadays since HTTPS makes it impossible to make sense of sniffed data and HSTS prevents SSL stripping?
31
votes
1
answer
9k
views
"google.com" is not HSTS protected?
Issue:
Oftentimes people enter google.com directly in the browser's address bar without including either the http:// or https:// prefixes.
Using Chrome DevTools on a fresh incognito session, I ran the ...
0
votes
1
answer
124
views
Initial requests sent over HTTP by default [duplicate]
Before the invention of HSTS security policy, if a user didn't specify the protocol in the URL, were all the initial requests sent over HTTP by default for every website?
5
votes
2
answers
4k
views
Should I return an HSTS header for 404 error pages?
I setup our .NET web application so that it has HSTS enabled. I verfied this by going to https://gf.dev/hsts-test and put in our URL and it shows that HSTS protection is there.
The result shows:
...
2
votes
2
answers
148
views
What is the relevance on HSTS on HTTP application?
We all know that HSTS should be implemented on HTTPS application. Recently, I came across an application HSTS implemened on HTTP application.
I need to answer to the client. According to me, HSTS ...
2
votes
2
answers
458
views
Strict Transport Security (HSTS) HTTP Response Header Security Related Question
I always thought HSTS headers were server specific, what reason would cause this header to not be invoked across certain URI endpoints i.e. HSTS header is in response to the root direct /, as well as /...
0
votes
1
answer
323
views
Does HSTS prevents MITM using a valid certificate?
Let’s consider this scenario:
An attacker got a valid certificate for a HSTS protected domain https://example.com. Can he still perform a man-in-the middle attack even if the website is already ...
22
votes
2
answers
5k
views
Is there any point in having the HSTS header enabled when using HTTP/2?
As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured....
1
vote
3
answers
365
views
Does HSTS provide security advantages on private networks?
For systems that only connect to the internet via a single dedicated private network (no WiFi hotspots), and assuming no systems or components on that network are compromised, does HSTS (HTTP Strict ...
13
votes
1
answer
1k
views
Does HSTS protect against a rogue CA issuing a illegitimate valid certificate?
Does HSTS protect a domain from a publicly trusted CA that has gone rogue issuing a illegitimate valid certificate? Examples of publicly trusted CA's would be any of the members of the Mozilla CA ...
6
votes
1
answer
999
views
Should the Strict-Transport-Security max-age be tied to the duration of the certificate?
I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to ...
0
votes
1
answer
1k
views
Is it possible to browse HSTS sites over SOCKS5 proxy?
I am unable to browse HSTS websites using SOCKS5 proxy in chrome browser...getting this error...
This site can’t be reached The web page at
https://www.instagram.com/accounts/login/?hl=en might ...