You are viewing a single comment's thread from:

RE: A brief rant on password security [Edit: Not so brief after all]

in #security8 years ago

Hmm, I'm not sure what you're seeing, but requesting any page from Dashlane's website over HTTP returns a 301 redirect to the HTTPS version, and they have HSTS enabled so your browser will not trust content from that domain over HTTP again. That's pretty much best practice all around.

They don't have HPKP, but I don't blame them: that makes you unable to adapt if your CA goes rogue or goes under. HPKP is generally too risky unless you run your own CA.

Sort:  

I am using chrome and it shows https crossed out. Navigate to https://dashlane.com/ in chrome (no www) and see what I mean. Actually its a cert problem. I stand corrected.

Ahh, yes. That's a misconfiguration on their part; looks like the raw domain, without the www, is configured to point to their mailserver, so [email protected] will work correctly (poorly done, should've had the A record point to the website and the MX record point to the mailserver), so if you manually type https://dashlane.com, it breaks.

That is badly insecure, because it means they don't have HSTS on dashlane.com, only on www.dashlane.com, meaning I could sslstrip them as you described, and the address bar would read dashlane.com instead of www.dashlane.com.

Coin Marketplace

STEEM 0.25
TRX 0.25
JST 0.040
BTC 94194.88
ETH 3392.03
USDT 1.00
SBD 3.50