

Man-in-the-middle attack on Mobile Facebook possible due to lack of HSTS header - nelse
https://gist.github.com/bartekn/6924685

======
pmh
It's important to note that even if the HSTS header was present on the mobile
site, the exploit would still be possible since many mobile browsers do not
support HSTS[1].

[1][http://michael-coates.blogspot.com/2013/09/security-
capabili...](http://michael-coates.blogspot.com/2013/09/security-capabilities-
comparison-hsts.html)

------
ancarda
>We are slowly rolling out HSTS across the entirety of Facebook's
infrastructure. The fact that m.facebook.com does not send this header
currently is by design.

Why not? For browsers that don't support HSTS, the header will be ignored. For
those that do support it, the end-user gets better security. Is there a
feasible reason for not enabling it everywhere? My guess would be so Facebook
can disable SSL for certain browsers?

------
matt_heimer
I don't get this header. Wouldn't the man-in-the-middle that is using
something like sslstrip also be able to strip out any header they choose to?

~~~
daeken
Yes, this is the case, but _only_ in the first request. As soon as an HTTP
user agent gets such an HSTS header, it will only communicate via HTTPS until
_max-age_ expires.

~~~
davis_m
Only if the browser supports HSTS. Many do not, especially mobile browsers.

------
elwell
Useful post simply for bringing attention to HSTS; of which, I've never heard.

------
Sami_Lehtinen
I think marking cookies secure only is more important than hsts, but if both
lack, then it's quite bad thing.

Btw. There are many sites like this out there. So this isn't news actually.
There are even more sites which lack https completely.

