Re: [HASMAT] HSTS Threat prevalence
Devdatta Akhawe <dev.akhawe@gmail.com> Fri, 06 August 2010 22:07 UTC
Return-Path: <dev.akhawe@gmail.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81BB13A687D for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 15:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akStf0LpWdgC for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 15:07:52 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 68A113A687C for <hasmat@ietf.org>; Fri, 6 Aug 2010 15:07:52 -0700 (PDT)
Received: by qyk8 with SMTP id 8so6492761qyk.10 for <hasmat@ietf.org>; Fri, 06 Aug 2010 15:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=owCnkKIC53OZvNEgSTSppV4NV4yWdHHC3DNnQBnBqYE=; b=Qx1B0C1uDizcWt5lDlP6qHQuHructyL3mNx6zQlFV/baNjk/EC8PtEpyX8jXzoWqoE BjFJC68zBY0fTwVEuMChlkthaZP4/L+BaLjFHnOpTaNQBVtCCQ85PqLpB/xwR32Gf43t MiB7S51eyvBocGkr6YO4JJ7BtzCD4ejHPJa7Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=aKkxCL71hegLMZqRvJx2yi1AT37KjtLu/YfFhR7mvM3qRJibsEjQcwz6lKU3kJAo2b vixeXyqqx4KynTFjczuD2Qm3TO6cnmmCyPytFsX0HjZfMndbSjuQqpBBuiCAVVVzD7lv JVCzRlERkb8sdbeMtqz17iPik2Y6PX3XmisJk=
Received: by 10.224.80.203 with SMTP id u11mr6423795qak.127.1281132503249; Fri, 06 Aug 2010 15:08:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.2.19 with HTTP; Fri, 6 Aug 2010 15:08:03 -0700 (PDT)
In-Reply-To: <4C5C5F9D.3050107@extendedsubset.com>
References: <AANLkTimt60chhpjL=3+ds8aGsBp18_YTAZU0GWs-jD4V@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEAD832B390@DEN-MEXMS-001.corp.ebay.com> <AANLkTinj7WcbyxPmpEfv0=ntPTnuCCDiP9qD2iyvH_aw@mail.gmail.com> <4C5C5F9D.3050107@extendedsubset.com>
From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 06 Aug 2010 15:08:03 -0700
Message-ID: <AANLkTinKeRh9qZggt_fc1KyrUM-MU3izaD1sW-EBwe-b@mail.gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HSTS Threat prevalence
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 22:07:53 -0000
>> >> #1 would be good - for a reasonably representative sample (i.e. no >> stories ' I once sat in a cafe and ... '). > > How about "I've sat in cafes on multiple occasions with professional > pen-testers who told me that they employ these techniques quite effectively > on a regular basis"? I am not sure if people targeted by professional pentesters are a "representative sample" of the general web user populace. Maybe I have a very optimistic/naive view of things. cheers devdatta > > - Marsh > > >> On 6 August 2010 11:52, Steingruebl, Andy<asteingruebl@paypal-inc.com> >> wrote: >>>> >>>> -----Original Message----- >>>> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On >>>> Behalf Of Devdatta Akhawe >>>> Sent: Friday, August 06, 2010 11:36 AM >>>> To: IETF HASMAT list >>>> Subject: [HASMAT] HSTS Threat prevalence >>>> >>>> Hi all >>>> >>>> The HSTS specification talks about possible attacks that could be >>>> prevented >>>> by the use of HSTS. Do we have any data that suggests these attacks are >>>> actually a concern / being used by attackers anywhere ? I couldn't find >>>> any >>>> citation to this effect in the specification. >>> >>> We are actively doing research in this area, but we don't know of any >>> published work at this point. >>> >>> For the wider audience - do you want to know: >>> 1. Whether this is occurring >>> 2. Its overall frequency/distribution >>> 3. Both >>> >>> Which of these would be most compelling? On a percentage basis the >>> number of connections being observed by passive network attackers is >>> probably very small. That doesn't by itself mean to should get rid of TLS. >>> >>> Me - I initially want the answer to #1, and then to #2. >>> >>> - Andy >>> >> _______________________________________________ >> HASMAT mailing list >> HASMAT@ietf.org >> https://www.ietf.org/mailman/listinfo/hasmat > >
- [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Marsh Ray
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy