[HASMAT] HSTS Threat prevalence

Devdatta Akhawe <dev.akhawe@gmail.com> Fri, 06 August 2010 18:36 UTC

Return-Path: <dev.akhawe@gmail.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30F603A68D0 for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 11:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6Ssp6xEjzvt for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 11:36:04 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 3B6FF3A6898 for <hasmat@ietf.org>; Fri, 6 Aug 2010 11:36:01 -0700 (PDT)
Received: by qyk8 with SMTP id 8so6336115qyk.10 for <hasmat@ietf.org>; Fri, 06 Aug 2010 11:36:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=2befMqOGvPXDoR6cfHMXaQWEmS5gXV1VzilrnlOs+fE=; b=C7C2afNDYhw+51ROnnMKa1qVTf5s+swL6/fBNcjS+ZGJ4AI2wKJZKZIZT7kcVgMgA2 8KQ81dsi+ACjfGwTyncIfcwV6WapmLn9tQ+c/P94Skh6Ft/cIColUlU0eVYkKu+JUK92 aCNFY1NTncQUdh/D+vPDxNtnV65gwbPXT0CwI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=YxbezywjLfcLj+/V8p2g/R9FjTGdMd/dUbQgoTaad4aRtxOMSdtGOpdYRVLeeWxoOR n7v5hO/k9gk3/Epl69WmyvJATyT3ypqtUzrqi1zZohcBCBOi95TB3mrWSoyra3bZQZPk M79Brb/IvvXLx5McVdV3mV57JlxfmWhBMLH2c=
Received: by 10.224.79.40 with SMTP id n40mr69815qak.306.1281119792154; Fri, 06 Aug 2010 11:36:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.2.19 with HTTP; Fri, 6 Aug 2010 11:36:12 -0700 (PDT)
From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 6 Aug 2010 11:36:12 -0700
Message-ID: <AANLkTimt60chhpjL=3+ds8aGsBp18_YTAZU0GWs-jD4V@mail.gmail.com>
To: IETF HASMAT list <hasmat@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [HASMAT] HSTS Threat prevalence
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 18:36:05 -0000

Hi all

The HSTS specification talks about possible attacks that could be
prevented by the use of HSTS. Do we have any data that suggests these
attacks are actually a concern / being used by attackers anywhere ? I
couldn't find any citation to this effect in the specification.

thanks

regards
devdatta