You are right. With different Tor circuits, the attacker needs to control a lot of exit nodes to correlate the initial HTTP request to ssl-stripped page and the DNS query (to be a global adversary).
How about sslstrip2 ([1], check demo)? A weakness of HSTS is that is stored per domain and the exit node can also control your DNS traffic. I wonder how hard it is to pull this off as a Tor exit node, for local networks…
You are right. With different Tor circuits, the attacker needs to control a lot of exit nodes to correlate the initial HTTP request to ssl-stripped page and the DNS query (to be a global adversary).
How about sslstrip2 ([1], check demo)? A weakness of HSTS is that is stored per domain and the exit node can also control your DNS traffic. I wonder how hard it is to pull this off as a Tor exit node, for local networks…