On Sat, Aug 06, 2011 at 01:40:38PM +0200, Pierre Schmitz wrote:
On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote:
This is why the redirects are also a charade. If Bob requests http://aur.archlinux.org but is redirected to http://aur.archlinux.frank.org rather than https://aur.archlinux.org he is probably expecting http anyways and may not bat an eye.
HSTS tries to address this issue. At least regular users will be secured by using this.
That is crap. HSTS alone won't fix this at all. If the response to the first HTTP request is already injected, the browser won't even see the HSTS headers at all. As a said before, the certificate itself is the only feature that allows for checking authenticity here.