May 18, 2021

Does TLS 1.3 fill the shortcomings of HSTS?


Interested to begin using TOR, so I’ve been doing some research the last few days about how secure HTTPS really is. I learned about SSL and TLS 1.1 being deprecated.

Marlinspike created SSLStrip 2012 if I didn’t get the year wrong. TLS 1.2 came year 2008. But according to this article: [https://www.rapidsslonline.com/ssl/what-is-ssl-stripping-attack/](https://www.rapidsslonline.com/ssl/what-is-ssl-stripping-attack/) TLS 1.2 and 1.3 were built to defeat SSL stripping. But I guess that TLS 1.2 didn’t do a good enough job at it? Anyway, v 1.3 was released year 2018.

So, the shortcoming of HSTS when it’s not preloaded are:

1. It requires a previous connection to know to always connect securely to a particular site.

2. A hacker can hijack the protocol used to sync a computer’s time (NTP), it can be possible to set a computers date and time to one in the future, as in a date and time when the HSTS rule has expired.

So, I’m just here to ask if anyone who’s more experienced at this knows if these shortcomings are plugged by TLS 1.3? How?

Btw, there’s also a shortcoming of HSTS even when it’s preloaded: if a website about books links to an online retailer, and the retailer enforces HTTPS using HSTS, it’s still possible to conduct an on-path attack, providing the website linking to the retailer doesn’t use HTTPS.

Most of what I’ve said comes from the article I’ve linked to. I’ve read a lot of articles and watched some videos, but I found that article the easiest to understand.

Btw, I’m new to this subreddit, and wonder what the difference is between r/cybersecurity and r/netsec?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.