Strict Transport Security

Mmm... The one advantage you still don't get is the possible leaking of information on the HTTP connection still... There's no way to work around that except to just drop connection attempts to port 80 (Which then goes full circle).

 

 

BUT at the end of the day, it's all still IMNSHO mostly an attempt to make apps with bugs or design faults in them 'work properly'... if the app DID work properly, there would be no need for the port 80 traffic, and no need for STS either (How many times have you seen anything like STS for IPSec for an extreme example?)

 

 

The part about making cert errors fatal and not allowing you to click around them however is a good one... That would help for some 'stolen' sites, DNS corruptions etc..

 

 

Maybe it's time to step back and look at security properly on the Internet... Rather than trying to patch protocols that weren't intended to be used in this way... (As good as they are, there's almost always a way to break them when inserting security. Sadly that's probably not going to happen, because developers will always look for a way to have the security broken to make it easier for the user or to make their app actually work around a bug they left in it... Which generally means less secure).

 

 

Sorry... It's monday and I'm feeling cynical...

 

 

 

H