Re: [HASMAT] HSTS Threat prevalence
Devdatta Akhawe <dev.akhawe@gmail.com> Fri, 06 August 2010 19:09 UTC
Return-Path: <dev.akhawe@gmail.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 127A53A6A2F for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 12:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpBUlUOizO8B for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 12:09:10 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 0EAA13A68CC for <hasmat@ietf.org>; Fri, 6 Aug 2010 12:09:09 -0700 (PDT)
Received: by qwe5 with SMTP id 5so5736995qwe.31 for <hasmat@ietf.org>; Fri, 06 Aug 2010 12:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=CzwteqiiiQMtC+2Yq2I18xeXq923s5am1p6xvMGRBLM=; b=WGDBC2SSHkNiFf03JrSa/78ut+ayoTt3xTBFw6QXaCUFSjP+ZKqdrdc0vGG2zoBsdI kXK0tYWevu0lgqzba33zbifNVF2uC7SoaTO8SmhxEJS2ibmjNIORBrT0SCWjyb3wXB6L jpYTPIy+ihvaBgrMU3Cq2P2cKqTYQP4vllXaE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=nYKv1d/I9JucbrNFsoyqvK6AlmFPekyyabYZiZTJrOwQ7J3yryIdpGFCEbPk71ydYt WiU3jtcOOwON4+JJvHTPGpsaljrpk98kUPWYI2njf1Dh6raaB4SYncm01mMpMQtfNbve vSwYXG3ZA9+AljFHTdHRFd1ZUiE09qdA/+t/U=
Received: by 10.224.96.146 with SMTP id h18mr6408336qan.156.1281121781160; Fri, 06 Aug 2010 12:09:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.2.19 with HTTP; Fri, 6 Aug 2010 12:09:21 -0700 (PDT)
In-Reply-To: <5EE049BA3C6538409BBE6F1760F328ABEAD832B390@DEN-MEXMS-001.corp.ebay.com>
References: <AANLkTimt60chhpjL=3+ds8aGsBp18_YTAZU0GWs-jD4V@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEAD832B390@DEN-MEXMS-001.corp.ebay.com>
From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 06 Aug 2010 12:09:21 -0700
Message-ID: <AANLkTinj7WcbyxPmpEfv0=ntPTnuCCDiP9qD2iyvH_aw@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HSTS Threat prevalence
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 19:09:11 -0000
#1 would be good - for a reasonably representative sample (i.e. no stories ' I once sat in a cafe and ... '). cheers devdatta On 6 August 2010 11:52, Steingruebl, Andy <asteingruebl@paypal-inc.com> wrote: >> -----Original Message----- >> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On >> Behalf Of Devdatta Akhawe >> Sent: Friday, August 06, 2010 11:36 AM >> To: IETF HASMAT list >> Subject: [HASMAT] HSTS Threat prevalence >> >> Hi all >> >> The HSTS specification talks about possible attacks that could be prevented >> by the use of HSTS. Do we have any data that suggests these attacks are >> actually a concern / being used by attackers anywhere ? I couldn't find any >> citation to this effect in the specification. > > We are actively doing research in this area, but we don't know of any published work at this point. > > For the wider audience - do you want to know: > 1. Whether this is occurring > 2. Its overall frequency/distribution > 3. Both > > Which of these would be most compelling? On a percentage basis the number of connections being observed by passive network attackers is probably very small. That doesn't by itself mean to should get rid of TLS. > > Me - I initially want the answer to #1, and then to #2. > > - Andy >
- [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Marsh Ray
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy