1

For systems that only connect to the internet via a single dedicated private network (no WiFi hotspots), and assuming no systems or components on that network are compromised, does HSTS (HTTP Strict Transport Security) provide any security advantages?

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50

3 Answers3

5

and assuming no systems or components on that network are compromised

...and assuming that nobody who has access to the systems or the networks has any bad intentions and can be trusted with visibility of any data passing through the network....then no, it adds nothing.

But those are very big assumptions.

symcbean
  • 18,278
  • 39
  • 73
1

Essentially if you assume "no systems or components on that network are compromised" your in very deep water already. What if they get compromised?

At the end of the day it comes down to your organization evaluating risk and the benefits of implementing the ways to mitigate the risk.

Raimonds Liepiņš
  • 994
  • 5
  • 9
0

You get all of the benefits of an encrypted connection!

  • Assurance knowing you're connected directly to the target website via certificate validation. This protects against: Man-in-the-middle attacks, DNS hijacking, BGP hijacking, Domain spoofing (Why is HTTP not secure?).
  • The target website is more secure since all content is loaded over HTTPS. Some examples include protecting against posting from http to https and mixed-content while securing logins and cookies.
  • Some ISPs have been known to monitor connections for ad serving purposes which encryption defeats.
  • You're protected should an adjacent system become compromised.

The following is a closely related post from this site.

What vulnerabilities are there for a website that does not use SSL for a login page (or any pages)

phbits
  • 1,002
  • 2
  • 5
  • 12