

The sad state of SMTP encryption - liotier
https://blog.filippo.io/the-sad-state-of-smtp-encryption/

======
ikeboy
>In browser world, it's as if you always connected over HTTP and relied on the
301 redirect to switch to HTTPS. An attacker can do a SSL stripping attack
where they just answer to your HTTP query. It's also what HSTS is designed to
prevent.

This is mixing up two things. If you connect over HTTP, an attacker doesn't
need to do any stripping. Sslstrip is a way to turn your https into http, in
the hope that you won't notice your browser bar. HSTS does fix both of those.

