Show Navigation
Conversation
Notices
-
@cereal Your link requires JS to view; do you have an alternative link I can look at?
HTTPS will work as long as it's successfully initiated. If an attacker can inject packets, then they will be able to perform a man-on-the-side attack, where they can send a reply before the remote server sends its own.
Normally, when a user types "foo.com", if a webserver serves only HTTPS, it'll send a redirect to "https://foo.com". The MotS attack can reply first before such a redirect takes place.
HTTP Strict Transport Security (HSTS) was made to prevent this sort of thing. The strongest protection is the list of websites distributed with web browsers that force the web browser to connect over HTTPS, always:
https://hstspreload.appspot.com/