Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

not just unencrypted - traffic for any website that doesn't use HSTS. All they need to do is intercept a single HTTP page and then they can modify it to contain iframes to their favorite sites over http, and any site without HSTS can then be owned.


Hopefully though everyone sets the secure flag on important cookies... I wouldn't bet on it, but I suspect it may be more common than HSTS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: