True or False: HSTS is absolutely useless against MITM attacks
False, HSTS protects against certain categories of MITM attack but not against others.
HKP (I know you didn't ask about this but I feel it doesn't make sense to look at one without looking at the other) also protects against certain categories of MITM attacks but not against others.
The combination of HSTS and HKP protects against an attack scenario that neither alone can protect against.
There are some types of MITM attack that cannot be protected against by the combaintion of HSTS and HKP.
Lets look at some scenarios. In all scenarios I will assume that example.com is not in any browser prelod lists. I will also assume that http://example.com redirect to https://example.com
Scenario 1:
The client visits http://example.com/ and they had not visited example.com before the MITM esablished themselves.
In this scenario the MITM will succed. He can simply intercept the intial connection and prevent redirection to https.
Scenario 2:
The client visits https://example.com/ . The attacker does not posses a certificate that will pass the browsers normal certificate validation.
In this scenario the https connection will fail certificate validation and the MITM will fail. HSTS and HKP are not needed.
Scenario 3:
The client visits http://example.com/ and they had visited example.com before the MITM esablished themselves. The attacker does not posses a certificate that will pass the browsers normal certificate validation.
In this scenario without HSTS the MITM will succed. He can simply intercept the intial connection and prevent redirection to https.
With HSTS the browser will never try to make a plain http connection but will instead move straight to https. The https connection will fail certificate validation and the MITM will fail.
Scenario 4:
The client visits https://example.com/ and they had not visited example.com before the MITM esablished themselves. The attacker has obtained a certificate coverting example.com from a CA in the browsers default trusted roots list (by trickery, bribery, bullying or whatever)
In this scenario the attacker succeeds.
Scenario 5:
The client visits https://example.com/ and they had visited example.com before the MITM esablished themselves. The attacker has obtained a certificate coverting example.com from a CA in the browsers default trusted roots list.
In this scenario without HKP the attacker succeeds. With HKP the certificate validation fails.
Scenario 6:
The client visits http://example.com/ and they had visited example.com before the MITM esablished themselves. The attacker has obtained a certificate coverting example.com from a CA in the browsers default trusted roots list.
In this scenario without HSTS the MITM will succeed. He can simply intercept the intial connection and prevent redirection to https.
In this scenario without HKP the MITM will succeed. He can successfully MITM the https connection.
With both HSTS and HKP the browser will never try to make a plain http connection but will instead move straight to https. The https connection will fail certificate validation thanks to HKP and the MITM will fail.
Scenario 7:
The MITM has obtained the private key for (one of) the site's legitimate certificates
The MITM will succeed
Scenario 8:
The MITM has obtained a certficate for exampe.com from a CA that was manually added to the trusted roots list.
HKP is bypassed and the MITM will succed. (this allows corporate firewalls that inspect https to continue to work, whether that is a good thing or not is debatable).