Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was referring to serving an ordinary HTTP page on port 80. Most people type facebook.com into the address bar and hit Enter (and don't have HTTPSEverywhere). In normal circumstances, Facebook would issue a redirect to https://facebook.com, but if you're controlling the network you just serve the front page via HTTP.


Yes, I suppose that might work at least some of the time. Most browsers these days, however, would send you to the https site simply because you had visited it more frequently unless you typed out the full url and managed not to select the offered completion.


> Most browsers these days, however, would send you to the https site simply because you had visited it more frequently

Actually, in that case, modern browsers would completely refuse to send you to the http site, even if you typed it in explicitly. All thanks to Facebook's 90 day HSTS header [0].

They could improve their security further by getting Facebook into the Chromium preload list. That list, which is shared with Firefox, eliminates the need for an initial, clear connection.

[0]: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[1]: https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: