"Everything in the HTTPS message is encrypted, including the headers, and the request/response load." [https://en.wikipedia.org/wiki/HTTPS#Network_layers]
Limitations
"A sophisticated type of man-in-the-middle attack called SSL stripping was presented at the Blackhat Conference 2009. This type of attack defeats the security provided by HTTPS by changing the https: link into an http: link, taking advantage of the fact that few Internet users actually type "https" into their browser interface: they get to a secure site by clicking on a link, and thus are fooled into thinking that they are using HTTPS when in fact they are using HTTP." [https://en.wikipedia.org/wiki/HTTPS#Limitations]
SSL Stripping Mitigation
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
No comments:
Post a Comment