Pre-HTTPS MitM Enter example.com Load http://example.com Hijack request, transparently proxy it without the redirect, and do what you like. GAME OVER N O PE @pimterry
Pre-HTTPS MitM Load http://linking-site.com Click link to http://example.com Proxy rewrites all links to HTTP Transparently proxy your request GAME OVER N O PE @pimterry
Needs to be set on root domain (example.com) Required on redirect domains too (example.net) Needs easily recognizable domains You’re committing to HTTPS forever Other gotchas @pimterry
Serve content with HTTPS only Use upgrade-insecure-requests Use HSTS, and get preloaded Check other sites (securityheaders.io) and complain! Let’s build a secure web @pimterry