Can anyone explain this line from commenter Darren Cook: "Once this enforcement is in place, browsers will simply refuse to connect to Google over an insecure or compromised connection. By shipping this setting in the browser itself, circumvention will become effectively impossible."
Some browsers are open source, and it seems to me that developers can never definitely rely on their behavior. Surely the enforcement depends ultimately not on the browsers but rather on the server refusing non-TLS connection attempts?
You can patch the browser to disable HSTS, but if you allow patching the browser to break the security intentionally, then all bets are off I'd say?
Surely the enforcement depends ultimately not on the browsers but rather on the server refusing non-TLS connection attempts?
No, HSTS capable browsers (Firefox and Chrome) will flatly refuse to connect if HSTS is in action. That's the whole idea and the defense against SSLstrip.
The point of TLS is to protect against MitM. The server refusing the non-TLS connection is not safe against MitM, a MitM can still claim to be the target server and accept the connection and thus (potentially) compromise the website/account/whatever. That is why the client has to refuse even trying to connect without TLS.
Some browsers are open source, and it seems to me that developers can never definitely rely on their behavior. Surely the enforcement depends ultimately not on the browsers but rather on the server refusing non-TLS connection attempts?