Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext.


That makes sense. What a stupid mess all of this is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: