Interested to begin using TOR, so I’ve been doing some research the last few days about how secure HTTPS really is. I learned about SSL and TLS 1.1 being deprecated.
Marlinspike created SSLStrip 2012 if I didn’t get the year wrong. TLS 1.2 came year 2008. But according to this article: [https://www.rapidsslonline.com/ssl/what-is-ssl-stripping-attack/](https://www.rapidsslonline.com/ssl/what-is-ssl-stripping-attack/) TLS 1.2 and 1.3 were built to defeat SSL stripping. But I guess that TLS 1.2 didn’t do a good enough job at it? Anyway, v 1.3 was released year 2018.
So, the shortcoming of HSTS when it’s not preloaded are:
1. It requires a previous connection to know to always connect securely to a particular site.
2. A hacker can hijack the protocol used to sync a computer’s time (NTP), it can be possible to set a computers date and time to one in the future, as in a date and time when the HSTS rule has expired.
So, I’m just here to ask if anyone who’s more experienced at this knows if these shortcomings are plugged by TLS 1.3? How?
Btw, there’s also a shortcoming of HSTS even when it’s preloaded: if a website about books links to an online retailer, and the retailer enforces HTTPS using HSTS, it’s still possible to conduct an on-path attack, providing the website linking to the retailer doesn’t use HTTPS.
Most of what I’ve said comes from the article I’ve linked to. I’ve read a lot of articles and watched some videos, but I found that article the easiest to understand.
Btw, I’m new to this subreddit, and wonder what the difference is between r/cybersecurity and r/netsec?